Skip to content
Threat Feed
medium advisory

CVE-2026-40423: F5 Traffic Management Microkernel (TMM) Termination Vulnerability

CVE-2026-40423 describes a vulnerability in F5 Networks products where undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate when a SIP profile is configured on a virtual server, leading to a denial-of-service condition.

CVE-2026-40423 is a vulnerability affecting F5 Networks’ Traffic Management Microkernel (TMM). When a SIP profile is configured on a virtual server, specifically crafted, but currently undisclosed, network traffic can trigger a termination of the TMM process. This leads to a denial-of-service condition, impacting the availability of affected F5 services. The vulnerability was reported by F5 Networks on May 13, 2026. Exploitation requires a SIP profile to be configured on a virtual server. This issue matters for defenders because it allows a remote, unauthenticated attacker to potentially disrupt critical services protected by affected F5 devices.

Attack Chain

  1. An attacker identifies a vulnerable F5 device with a SIP profile configured on a virtual server.
  2. The attacker crafts malicious, undisclosed network traffic specifically designed to trigger the vulnerability.
  3. The attacker sends the crafted traffic to the vulnerable virtual server.
  4. The F5 device processes the malicious traffic through the SIP profile.
  5. The crafted traffic exploits a flaw in the TMM’s handling of SIP traffic.
  6. This causes the Traffic Management Microkernel (TMM) process to crash.
  7. The TMM termination results in a denial-of-service condition, impacting services relying on the F5 device.

Impact

Successful exploitation of CVE-2026-40423 leads to a denial-of-service condition, potentially disrupting critical services protected by the vulnerable F5 device. The F5 advisory provides no specific victim counts or sector targeting, but the impact is high availability loss for any services behind the F5 virtual server utilizing a SIP profile. Given the nature of F5 devices, this could impact a wide range of organizations relying on their load balancing and traffic management capabilities.

Recommendation

  • Monitor network traffic for patterns indicative of SIP profile exploitation and TMM crashes by deploying the Sigma rule Detect F5 TMM Termination via SIP Profile.
  • Reference the F5 Networks advisory https://my.f5.com/manage/s/article/K000161023 for further information and potential mitigations.
  • Since the specific traffic is undisclosed, closely monitor F5 Networks’ security advisories for future updates and recommended configurations.
  • Investigate any unexpected TMM process terminations on F5 devices, referencing the CVE identifier CVE-2026-40423 during the investigation.

Detection coverage 2

Detect F5 TMM Termination via SIP Profile

medium

Detects a TMM termination event that occurs when processing SIP traffic. This rule should be tuned to avoid false positives based on expected restart frequency.

sigma tactics: availability techniques: T1498 sources: process_creation, linux

Detect SIP traffic to configured virtual servers

info

Detects connections being made to configured virtual servers using SIP

sigma sources: network_connection, firewall

Detection queries are available on the platform. Get full rules →