SB2026051448 - Multiple vulnerabilities in BIG-IP

Description

This security bulletin contains information about 3 vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2026-40067)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to buffer copy without checking size of input in SessionDB when processing undisclosed traffic on a virtual server with a BIG-IP APM access policy configured. A remote attacker can send crafted traffic to cause a denial of service.

There is no control plane exposure; this is a data plane issue only.

2) Cross-site request forgery (CVE-ID: CVE-2026-40703)

The vulnerability allows a remote attacker to perform unauthorized create, modify, and delete actions on the dashboard.

The vulnerability exists due to cross-site request forgery in the configuration utility dashboard when handling crafted requests from an authenticated user's browser. A remote attacker can cause an authenticated user to send a crafted request to perform unauthorized create, modify, and delete actions on the dashboard.

This is a control plane issue; there is no data plane exposure.

3) Stack-based buffer overflow (CVE-ID: CVE-2026-42919)

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to stack-based buffer overflow in BIG-IP external monitors when handling administrative access to Appliance mode functionality. A remote privileged user can execute arbitrary system commands to escalate privileges.

This is a control plane issue only and there is no data plane exposure.

Remediation

Install update from vendor's website.

References

• https://my.f5.com/manage/s/article/K000161056
• https://my.f5.com/manage/s/article/K35544022
• https://my.f5.com/manage/s/article/K000158971