6389 matches found
K000159076: Quarterly Security Notification (February 2026)
Security Advisory Description On February 4, 2026, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associate...
K000158072: BIG-IP Advanced WAF and ASM vulnerability CVE-2026-22548
Security Advisory Description When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker's control can cause the bd process to terminate. CVE-2026-22548 Impact Traffic is disrupted while the bd process...
K000157960: BIG-IP Container Ingress Services vulnerability CVE-2026-22549
Security Advisory Description A vulnerability exists in F5 BIG-IP Container Ingress Services that may allow excessive permissions to read cluster secrets. CVE-2026-22549 Impact A remote, authenticated attacker with high privilege access to BIG-IP Container Ingress Services may be able to read...
K000158931: BIG-IP Edge Client for Windows vulnerability CVE-2026-20730
Security Advisory Description A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information. CVE-2026-20730 Impact An attacker with local access could exploit this vulnerability to list processes and obtain session...
K000156644: BIG-IP Configuration utility vulnerability CVE-2026-20732
Security Advisory Description A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages. CVE-2026-20732 Impact An attacker may trick authenticated BIG-IP users into accessing malicious links and reflect a spoofed error message in...
K000156643: BIG-IP SMTP configuration security exposure
Security Advisory Description An authenticated attacker granted the guest role on a BIG-IP system can modify the SMTP Server Host Name as well as the SMTP Server Port Number settings and run the Test Connection feature. This issue occurs when the following condition is met: The affected BIG-IP...
K000159824: NGINX vulnerability CVE-2026-1642
Security Advisory Description A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security TLS servers. An attacker with a man-in-the-middle MITM position on the upstream server side—along with conditions beyond the attacker's control—may be abl...
K000159879: MySQL vulnerability CVE-2026-21929
Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Parser. Supported versions that are affected are 9.0.0-9.5.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL...
K000159874: SSSD vulnerability CVE-2025-11561
Security Advisory Description A flaw was found in the integration of Active Directory and the System Security Services Daemon SSSD on Linux systems. In default configurations, the Kerberos local authentication plugin sssdkrb5localauthplugin is enabled, but a fallback to the an2ln plugin is...
K000159873: Linux kernel vulnerability CVE-2025-39881
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when open file is released A use-after-free UAF vulnerability was identified in the PSI Pressure Stall Information monitoring mechanism: BUG: KASAN: slab-use-after-free in...
K000159869: Telnetd vulnerability CVE-2026-24061
Security Advisory Description Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. CVE-2026-24061 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product...
K000159868: OpenSSL vulnerability CVE-2025-15467
Security Advisory Description Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsi...
K000159867: MySQL vulnerability CVE-2026-21941
Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multip...
K000159856: Binutils vulnerability CVE-2025-66862
Security Advisory Description A buffer overflow vulnerability in function gnuspecial in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. CVE-2025-66862 Impact There is no impact; F5 products are not affected by this vulnerability. F5 previously...
K000159855: Multiple MySQL vulnerabilities
Security Advisory Description CVE-2026-21937 Vulnerability in the MySQL Server product of Oracle MySQL component: Server: DDL. Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access v...
K000159716: Oracle Java SE vulnerability CVE-2026-21947
Security Advisory Description Vulnerability in Oracle Java SE component: JavaFX. Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successf...
K000159700: React framework vulnerability CVE-2026-23864
Security Advisory Description Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests ...
K000159707: NPM vulnerability CVE-2025-59145
Security Advisory Description color-name is a JSON with CSS color names. On 8 September 2025, an npm publishing account for color-name was taken over after a phishing attack. Version 2.0.1 was published, functionally identical to the previous patch version, but with a malware payload added...
K000159699: Net-SNMP snmptrapd vulnerability CVE-2025-68615
Security Advisory Description net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre...
K000159681: Credential harvesting campaign targeting F5 VPN users
On January 13, 2026, researchers identified a large-scale credential harvesting campaign targeting several VPN providers, including F5. The threat actors behind the campaign registered numerous doppelgänger domains designed to mimic legitimate F5 domains. These domains are used to deceive victims...
K000159684: OpenSSH vulnerabilities CVE-2025-61984 and CVE-2025-61985
Security Advisory Description CVE-2025-61984 ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence...
K000159667: GNU Binutils vulnerabilities CVE-2025-11082 and CVE-2025-11083
Security Advisory Description CVE-2025-11082 A flaw has been found in GNU Binutils 2.45. Impacted is the function bfdelfparseehframe of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution...
K000159607: Node-forge vulnerability CVE-2025-12816
Security Advisory Description An interpretation-conflict CWE-436 vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic...
K000159661: libxml2 vulnerabilities CVE-2025-32414 and CVE-2025-32415
Security Advisory Description CVE-2025-32414 In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API Python bindings because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between...
K000159628: Podman vulnerability CVE-2022-2739
Security Advisory Description The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker ...
K000159626: libpng vulnerability CVE-2025-64720
Security Advisory Description LIBPNG is a reference library for use in applications that read, create, and manipulate PNG Portable Network Graphics raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in pngimagereadcomposite when processing palette...
K000159609: Apache Tika vulnerability CVE-2025-66516
Security Advisory Description Critical XXE in Apache Tika tika-core 1.13-3.2.1, tika-pdf-module 2.0.0-3.2.1 and tika-parsers 1.13-1.28.5 modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same...
K000159608: Oracle GraalVM for JDK vulnerability CVE-2025-61755
Security Advisory Description Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE component: Compiler. Supported versions that are affected are Oracle GraalVM for JDK: 17.0.16 and 21.0.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via...
K000159077: GNU Tar vulnerability CVE-2019-9923
Security Advisory Description paxdecodeheader in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers. CVE-2019-9923 There is no impact; F5 products are not affected by this vulnerability. Note : F5 previously reported...
K000159600: Rack vulnerability CVE-2022-30123
Security Advisory Description A sequence injection vulnerability exists in Rack 2.0.9.1, 2.1.4.1 and 2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack. CVE-2022-30123 Impact There is no impact; F5 products are not affected by this vulnerability...
K000159594: NLnet Labs Unbound vulnerability CVE-2025-11411
Security Advisory Description NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the...
K000159586: PowerDNS vulnerability CVE-2025-59023
Security Advisory Description Crafted delegations or IP fragments can poison cached delegations in Recursor. CVE-2025-59023 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported releases...
K000159578: ImageMagick vulnerability CVE-2025-68618
Security Advisory Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue. CVE-2025-68618 Impact There is no impact; F...
K000159546: Python vulnerability CVE-2024-5642
Security Advisory Description CPython 3.9 and earlier doesn't disallow configuring an empty list "" for SSLContext.setnpnprotocols which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used see CVE-2024-5535 for OpenSSL. This vulnerability is of...
K000159544: Redis Lua vulnerability CVE-2025-49844
Security Advisory Description Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution...
K000159078: Podman vulnerability CVE-2024-3056
Security Advisory Description A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will...
K000159062: Linux kernel vulnerability CVE-2024-56627
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Out-of-Bounds Read in ksmbdvfsstreamread An offset from client could be a negative value, it could lead to an out-of-bounds read from the streambuf. Note that this issue is coming when...
K000159061: Linux kernel vulnerability CVE-2024-56626
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Out-of-Bounds Write in ksmbdvfsstreamwrite. An offset from client could be a negative value, it could allows to write data outside the bounds of the allocated buffer. Note that this issue ...
K000159060: Linux kernel vulnerability CVE-2024-56615
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: bpf: fix OOB devmap writes when deleting elements Jordy reported issue against XSKMAP which also applies to DEVMAP - the index used for accessing map entry, due to being a signed integer, causes the...
K000159059: Linux kernel vulnerability CVE-2024-56614
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: xsk: fix OOB map writes when deleting elements Jordy says: " In the xskmapdeleteelem function an unsigned integer map-maxentries is compared with a user-controlled signed integer k. Due to implicit...
K000159043: ImageMagick vulnerability CVE-2025-69204
Security Advisory Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, in the WriteSVGImage function, using an int variable to store numberattributes caused an integer overflow. This, in turn, triggered a buffer...
K000159018: Linux kernel vulnerability CVE-2023-53178
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: mm: fix zswap writeback race condition The zswap writeback mechanism can cause a race condition resulting in memory corruption, where a swapped out page gets swapped in with data that was written to ...
K000159017: Apache HTTP Server vulnerability CVE-2025-3891
Security Advisory Description A flaw was found in the modauthopenidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently,...
K000159016: PowerDNS vulnerability CVE-2025-59029
Security Advisory Description An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY. CVE-2025-59029 Impact There is no impact; F5 products are not affected by this...
K000159014: Intel UEFI vulnerability CVE-2025-30185
Security Advisory Description Active debug code for some Intel UEFI reference platforms within Ring 0: Kernel may allow a denial of service and escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable data alteration. This result m...
K000159002: Linux kernel vulnerability CVE-2025-39718
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skbput When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtiovsockskbrxput. Unfortunately,...
K000158999: Linux kernel vulnerability CVE-2025-38628
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: vdpa/mlx5: Fix release of uninitialized resources on error path The commit in the fixes tag made sure that mlx5vdpafree is the single entrypoint for removing the vdpa device resources added in...
K000158972: Linux kernel (nilfs) vulnerability CVE-2022-50367
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfsmdtdestroy In allocinode, inodeinitalways could return -ENOMEM if securityinodealloc fails, which causes inode-iprivate uninitialized. Then nilfsismetadatafileinode return...
K000158955: Intel QAT vulnerability CVE-2025-33000
Security Advisory Description Improper input validation for some Intel QuickAssist Technology before version 2.6.0 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalatio...
K000158954: Apache Struts vulnerability CVE-2025-64775
Security Advisory Description Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which...