CVE-2026-40629: F5 Networks Virtual Server Denial of Service

CVE-2026-40629 is a vulnerability affecting F5 Networks products. When SSL profiles are configured on a virtual server, a specific type of undisclosed traffic can trigger a denial-of-service condition. This condition manifests as the virtual server ceasing to process new client connections. The vulnerability stems from improper resource management when handling certain traffic patterns in conjunction with SSL profiles, leading to resource exhaustion. Exploitation of this vulnerability does not require authentication, making it easily exploitable. This can impact availability of services provided through the virtual server. Note that versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Chain

1. An unauthenticated attacker identifies a vulnerable F5 virtual server with SSL profiles configured.
2. The attacker sends a series of specially crafted network packets to the virtual server’s exposed port (typically 443 for HTTPS).
3. These packets leverage the undisclosed traffic patterns that trigger the vulnerability.
4. The virtual server attempts to process the malicious traffic using the configured SSL profiles.
5. Due to the vulnerability, the server incorrectly allocates or manages resources during the SSL processing.
6. Repeated sending of the crafted packets causes the virtual server to exhaust its available resources, such as memory or processing threads.
7. The virtual server becomes unable to accept or process new client connection requests.
8. Legitimate users are unable to access the services provided by the virtual server, resulting in a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-40629 results in a denial-of-service (DoS) condition. The affected virtual server stops processing new client connections, rendering the services it hosts unavailable to legitimate users. The scope of impact depends on the criticality of the services hosted behind the virtual server. This can disrupt business operations and cause financial losses. While the exact number of potential victims is unknown, all organizations using affected versions of F5 Networks products with SSL profiles configured are at risk.

Recommendation

• Refer to F5 Networks advisory K000158978 for specific affected versions and mitigation steps.
• Monitor network traffic for suspicious patterns targeting F5 virtual servers, using the provided Sigma rules.
• Apply rate limiting to inbound connections to the virtual servers to mitigate resource exhaustion.
• Deploy the Sigma rule “Detect CVE-2026-40629 DoS Attempt — High Volume of SSL Connections” to identify potential exploitation attempts.