K000161068: NGINX ngx_quic_module vulnerability CVE-2026-40460

Security Advisory Description When NGINX Plus or NGINX Open Source is configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. CVE-2026-40460 Impact This vulnerability allows a remote,...

K000158038: BIG-IP TMM vulnerability CVE-2026-41956

Security Advisory Description When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. CVE-2026-41956 Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows a remote,...

K000160972: BIG-IP and BIG-IQ privilege escalation vulnerability CVE-2026-32643

Security Advisory Description A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. CVE-2026-32643 Impact This vulnerability may allow...

K000160971: BIG-IP and BIG-IQ privilege escalation vulnerability CVE-2026-42406

Security Advisory Description A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. CVE-2026-42406 Impact This vulnerability may allow...

K000160973: iControl SOAP vulnerability CVE-2026-42063

Security Advisory Description A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. CVE-2026-42063 Impact This vulnerability may allow a remote, authenticated attacker with Resource Administrator...

K000158029: iControl REST vulnerability CVE-2026-20916

Security Advisory Description An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system. CVE-2026-20916 Impact An authenticated attacker with low privileges can exploit this vulnerability remotel...

K000158070: iControl REST vulnerability CVE-2026-28758

Security Advisory Description When BIG-IP DNS is provisioned, a vulnerability exists in the gtmadd and bigipadd iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged,...

K000160788: iControl REST and tmsh vulnerability CVE-2026-40061

Security Advisory Description When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell tmsh command that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher...

K000150508: BIG-IP BFD vulnerability CVE-2026-34019

Security Advisory Description When Bidirectional Forwarding Detection BFD is configured in Static and Dynamic routing protocols, undisclosed traffic can cause the Traffic Management Microkernel TMM to stop processing BFD packets and cause the configured routing protocol to fail over. CVE-2026-340...

K000156604: BIG-IP httpd access control vulnerability CVE-2026-40435

Security Advisory Description When configured, IP-based access restrictions for httpd do not cover all endpoints, which may allow connections from blocked addresses. CVE-2026-40435 Impact This vulnerability allows an attacker to connect to the BIG-IP control plane HTTP services; however, the...

K000160727: BIG-IP Advanced WAF and ASM vulnerability CVE-2026-40060

Security Advisory Description When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. CVE-2026-40060 Impact Traffic is disrupted while the bd process restarts. This vulnerability allows a remote,...

K35544022: BIG-IP Configuration utility CSRF vulnerability CVE-2026-40703

Security Advisory Description A cross-site request forgery CSRF vulnerability exists in the dashboard of the BIG-IP Configuration utility. CVE-2026-40703 Impact A remote, unauthenticated attacker may exploit this vulnerability by causing an authenticated user to send a crafted request to the BIG-...

K000161021: NGINX ngx_http_ssl_module vulnerability CVE-2026-40701

Security Advisory Description NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpsslmodule module when the sslverifyclient directive is set to "on" or "optional," and the sslocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this...

K000158971: BIG-IP Appliance mode vulnerability CVE-2026-42919

Security Advisory Description A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary. CVE-2026-42919 Impact The vulnerability allows the...

K000161019: NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945

Security Advisory Description NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttprewritemodule module. This vulnerability exists when the "rewrite" directive with a query string is followed in the same location by the "if" or "set" directive with an unnamed Perl-Compatible Regula...

K000160874: BIG-IP Configuration utility vulnerability CVE-2026-39455

Security Advisory Description When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol LDAP authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors. CVE-2026-39455 Impact The Configuration utility stops...

K000157981: BIG-IP DNS tmsh vulnerability CVE-2026-42408

Security Advisory Description When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell tmsh command that may allow a highly privileged authenticated attacker to view sensitive information. CVE-2026-42408 Impact An authenticated attacker with Resource Administrator role...

K000160875: BIG-IP PEM iRules vulnerability CVE-2026-41218

Security Advisory Description When BIG-IP PEM iRules are configured on a virtual server iRules using commands starting with CLASSIFICATION:: , CLASSIFY::, PEM:: , PSC:: , and the urlcatquery command, undisclosed traffic can cause the Traffic Management Microkernel TMM to terminate. CVE-2026-41218...

K000158979: BIG-IP HTTP/2 Layer 7 DoS Protection vulnerability CVE-2026-41227

Security Advisory Description On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel TMM process to terminate. CVE-2026-41227 Impact Traffic is disrupted while the TMM proce...

K000161056: BIG-IP APM vulnerability CVE-2026-40067

Security Advisory Description When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate. CVE-2026-40067 Impact Traffic is disrupted while the apmd process restarts. This vulnerability allows an unauthenticated attacker to cause ...