Which versions of BIG-IP are affected by CVE-2026-40618?

F5 BIG-IP Virtual Edition and hardware platforms are vulnerable to denial-of-service attacks when SSL profiles lack hardware crypto acceleration, allowing remote attackers to crash the Traffic…. A patch is available.

BIG-IP CVE-2026-40618

Q: What is the CVSS score of CVE-2026-40618?

CVE-2026-40618 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-29976 HIGH

Incorrect Calculation of Buffer Size (CWE-131)

2026-05-13 f5

GHSA-jrwx-v3xx-xrp8

Information Disclosure Intel

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

May 13, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

May 13, 2026 - 16:22 NVD

7.5 (HIGH) 8.7 (HIGH)

Analysis Generated

May 13, 2026 - 15:47 vuln.today

CVE Published

May 13, 2026 - 14:12 nvd

HIGH 7.5

DescriptionNVD

When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are configured without hardware crypto acceleration, allowing remote unauthenticated attackers to cause denial of service via undisclosed traffic patterns. CVSS 7.5 (High) with network attack vector and no prerequisites. …

RemediationAI

Within 24 hours: Identify all F5 BIG-IP instances (Virtual Edition and hardware) and audit SSL profile configurations for hardware crypto acceleration status. Within 7 days: Apply F5 vendor patch per advisory K000158082 to all affected BIG-IP systems, prioritizing production load balancers. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory