PatchSiren cyber security CVE debrief
CVE-2026-40060 F5 CVE debrief
CVE-2026-40060 is a HIGH-severity vulnerability (CVSS Score: 8.7) affecting BIG-IP Advanced WAF or ASM security policy. When a security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. The vulnerability was published on May 13, 2026, and modified on June 29, 2026. F5 is the affected vendor. Software versions that have reached End of Technical Support (EoTS) are not evaluated.
- Vendor
- F5
- Product
- BIG-IP
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-06-29
Who should care
Security teams and administrators responsible for BIG-IP Advanced WAF or ASM security policy configurations should be aware of this vulnerability. The vulnerability's HIGH severity and potential impact on service availability make it a priority for organizations using affected versions.
Technical summary
The vulnerability occurs when a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server. Undisclosed requests can cause the bd process to terminate, potentially leading to service disruption. The affected products include BIG-IP Application Security Manager and BIG-IP Advanced Web Application Firewall. Specific CPE criteria and version ranges are provided in the source item metadata.
Defensive priority
Apply mitigations and updates as recommended by the vendor. Review and update BIG-IP Advanced WAF or ASM security policy configurations to minimize potential impact.
Recommended defensive actions
- Review BIG-IP Advanced WAF or ASM security policy configurations for potential vulnerabilities.
- Apply vendor-recommended mitigations and updates.
- Monitor for undisclosed requests that could cause bd process termination.
- Consider compensating controls to minimize potential impact.
- Update inventory and track affected systems for remediation.
Evidence notes
The CVE record and NVD detail provide official information on the vulnerability. The source item metadata includes CPE criteria and version ranges for affected products. Vendor advisory and mitigation information are available.
Official resources
-
CVE-2026-40060 CVE record
CVE.org
-
CVE-2026-40060 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
This article is AI-assisted and based on the supplied source corpus.