Skip to content
Threat Feed
medium advisory

BIG-IP VE TMM Termination Vulnerability (CVE-2026-40618)

CVE-2026-40618 describes a vulnerability in F5 BIG-IP Virtual Edition (VE) where specific traffic can cause the Traffic Management Microkernel (TMM) to terminate when an SSL profile is configured without Intel QuickAssist Technology (QAT) or with crypto.hwacceleration disabled, potentially leading to a denial-of-service.

CVE-2026-40618 affects F5 BIG-IP Virtual Edition (VE) and hardware platforms where the Traffic Management Microkernel (TMM) can be terminated due to undisclosed traffic conditions. This occurs when an SSL profile is configured on a virtual server without Intel QuickAssist Technology (QAT) support, or when the database variable crypto.hwacceleration is set to disabled. Exploitation results in a denial-of-service condition, impacting availability. F5 has not evaluated software versions that have reached End of Technical Support (EoTS). The vulnerability was reported on May 13, 2026.

Attack Chain

  1. An attacker identifies a vulnerable BIG-IP VE instance without Intel QAT or with crypto.hwacceleration disabled.
  2. The attacker crafts specific network traffic targeting a virtual server configured with an SSL profile.
  3. The malicious traffic is sent to the targeted BIG-IP VE instance.
  4. Due to a calculation error (CWE-131) when processing the SSL traffic, the Traffic Management Microkernel (TMM) experiences a fault.
  5. The TMM process terminates unexpectedly.
  6. The BIG-IP system experiences a denial-of-service condition, as the TMM is responsible for handling traffic.
  7. Legitimate users are unable to access services provided by the BIG-IP VE instance.

Impact

Successful exploitation of CVE-2026-40618 results in a denial-of-service condition on the affected BIG-IP VE instance. This means that the device becomes unavailable, disrupting network services and potentially impacting business operations. The severity is rated high due to the ease of exploitation (low attack complexity, no privileges required).

Recommendation

  • Monitor network traffic for anomalous SSL connections that may be attempting to trigger the vulnerability (see Sigma rule Detect Unusual SSL Traffic to BIG-IP).
  • Refer to F5’s advisory K000158082 for specific mitigation steps and recommended configurations.
  • Enable Intel QuickAssist Technology (QAT) on BIG-IP VE instances where possible to prevent exploitation if the root cause relates to software crypto implementation.
  • Ensure that the crypto.hwacceleration database variable is properly configured according to F5’s recommendations.

Detection coverage 2

Detect Unusual SSL Traffic to BIG-IP

medium

Detects CVE-2026-40618 exploitation — monitors for unusual SSL traffic patterns that may be attempting to trigger the TMM termination.

sigma tactics: denial_of_service techniques: T1499.001 sources: network_connection, windows

Detect BIG-IP TMM Process Termination

high

Detects CVE-2026-40618 exploitation — monitors for unexpected termination of the Traffic Management Microkernel (TMM) process.

sigma tactics: denial_of_service techniques: T1499.001 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →