SB2026051447 - Multiple vulnerabilities in BIG-IP

Description

This security bulletin contains information about 2 vulnerabilities.

1) Command injection (CVE-ID: CVE-2026-41953)

The vulnerability allows a remote user to escalate privileges or bypass Appliance mode restrictions.

The vulnerability exists due to command injection in TMOS when modifying configuration objects through the management port or self IP addresses. A remote privileged user can modify configuration objects to escalate privileges or bypass Appliance mode restrictions.

In Appliance mode deployments, successful exploitation can cross a security boundary. There is no data plane exposure; this is a control plane issue only.

2) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-39455)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing release of resource after effective lifetime in the httpd process of the Configuration utility when handling undisclosed traffic while LDAP authentication is enabled. A remote attacker can send undisclosed traffic to cause a denial of service.

This is a control plane issue only and there is no data plane exposure. Only systems configured to use Lightweight Directory Access Protocol authentication are vulnerable.

Remediation

Install update from vendor's website.

References

• https://my.f5.com/manage/s/article/K000160975
• https://my.f5.com/manage/s/article/K000160874