BIG-IP Virtual Edition (VE) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/big-ip-virtual-edition-ve/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 16:22:47 +0000BIG-IP VE TMM Termination Vulnerability (CVE-2026-40618)https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40618/Wed, 13 May 2026 16:22:47 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40618/CVE-2026-40618 describes a vulnerability in F5 BIG-IP Virtual Edition (VE) where specific traffic can cause the Traffic Management Microkernel (TMM) to terminate when an SSL profile is configured without Intel QuickAssist Technology (QAT) or with crypto.hwacceleration disabled, potentially leading to a denial-of-service.CVE-2026-40618 affects F5 BIG-IP Virtual Edition (VE) and hardware platforms where the Traffic Management Microkernel (TMM) can be terminated due to undisclosed traffic conditions. This occurs when an SSL profile is configured on a virtual server without Intel QuickAssist Technology (QAT) support, or when the database variable crypto.hwacceleration is set to disabled. Exploitation results in a denial-of-service condition, impacting availability. F5 has not evaluated software versions that have reached End of Technical Support (EoTS). The vulnerability was reported on May 13, 2026.

Attack Chain

  1. An attacker identifies a vulnerable BIG-IP VE instance without Intel QAT or with crypto.hwacceleration disabled.
  2. The attacker crafts specific network traffic targeting a virtual server configured with an SSL profile.
  3. The malicious traffic is sent to the targeted BIG-IP VE instance.
  4. Due to a calculation error (CWE-131) when processing the SSL traffic, the Traffic Management Microkernel (TMM) experiences a fault.
  5. The TMM process terminates unexpectedly.
  6. The BIG-IP system experiences a denial-of-service condition, as the TMM is responsible for handling traffic.
  7. Legitimate users are unable to access services provided by the BIG-IP VE instance.

Impact

Successful exploitation of CVE-2026-40618 results in a denial-of-service condition on the affected BIG-IP VE instance. This means that the device becomes unavailable, disrupting network services and potentially impacting business operations. The severity is rated high due to the ease of exploitation (low attack complexity, no privileges required).

Recommendation

  • Monitor network traffic for anomalous SSL connections that may be attempting to trigger the vulnerability (see Sigma rule Detect Unusual SSL Traffic to BIG-IP).
  • Refer to F5’s advisory K000158082 for specific mitigation steps and recommended configurations.
  • Enable Intel QuickAssist Technology (QAT) on BIG-IP VE instances where possible to prevent exploitation if the root cause relates to software crypto implementation.
  • Ensure that the crypto.hwacceleration database variable is properly configured according to F5’s recommendations.
]]>mediumadvisorycvedosbig-ip