CVE-2026-22548 Overview
CVE-2026-22548 is a race condition vulnerability affecting F5 BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM). When a security policy is configured on a virtual server, specially crafted undisclosed requests, combined with conditions beyond the attacker's control, can cause the bd (Bot Defense) process to terminate unexpectedly. This results in a denial of service condition that impacts the availability of protected applications.
The vulnerability stems from improper handling of concurrent operations within the security policy enforcement mechanism, classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization).
Critical Impact
Successful exploitation can cause the bd process to crash, disrupting WAF and ASM security policy enforcement and potentially leaving protected applications exposed or unavailable.
Affected Products
- F5 BIG-IP Advanced WAF
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP virtual servers with WAF/ASM security policies configured
Discovery Timeline
- 2026-02-04 - CVE-2026-22548 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-22548
Vulnerability Analysis
This vulnerability is a race condition (CWE-362) that occurs during the processing of requests by the BIG-IP Advanced WAF or ASM security policy engine. The bd process, which handles bot defense and security policy enforcement, can enter a vulnerable state when specific timing conditions align during concurrent request processing.
The attack requires network access to the vulnerable virtual server, with no authentication or user interaction necessary. However, successful exploitation depends on environmental factors beyond the attacker's direct control, which adds complexity to reliable exploitation. The primary impact is to system availability—the confidentiality and integrity of the system remain unaffected.
When the race condition is triggered, the bd process terminates abnormally, which can cause:
- Temporary loss of WAF/ASM security policy enforcement
- Service disruption for applications protected by the affected virtual server
- Potential need for manual intervention or automatic process restart
Root Cause
The root cause is a race condition (CWE-362) in the BIG-IP Advanced WAF and ASM security policy processing logic. When multiple requests are processed concurrently, improper synchronization of shared resources within the bd process can lead to an inconsistent state, ultimately causing the process to crash.
Race conditions of this type typically occur when:
- Multiple threads or processes access shared data structures simultaneously
- Proper locking mechanisms are not implemented or are insufficient
- Timing-dependent operations lack adequate synchronization primitives
Attack Vector
The attack vector is network-based, requiring the attacker to send specially crafted requests to a BIG-IP virtual server configured with an Advanced WAF or ASM security policy. The attack characteristics include:
- Network-based access: Remote attackers can target the vulnerability over the network
- No authentication required: The attack does not require valid credentials
- No user interaction: Exploitation can occur without any action from legitimate users
- Timing-dependent: Success depends on environmental conditions and timing that the attacker cannot fully control
The vulnerability manifests when specific request patterns create a timing window that triggers the race condition in the bd process. Due to the probabilistic nature of race conditions, exploitation may require multiple attempts or sustained traffic to successfully trigger the crash. For detailed technical information, refer to the F5 Knowledge Base Article.
Detection Methods for CVE-2026-22548
Indicators of Compromise
- Unexpected termination or restart events for the bd process in BIG-IP system logs
- Multiple entries in /var/log/asm indicating process crashes or restarts
- Increased error rates or connection failures for applications protected by WAF/ASM policies
- Core dump files generated in /var/core/ related to the bd process
Detection Strategies
- Monitor BIG-IP system logs (/var/log/ltm, /var/log/asm) for abnormal bd process termination messages
- Implement alerting on SNMP traps related to process failures or restarts
- Configure health monitors to detect WAF/ASM service interruptions
- Deploy network-based intrusion detection to identify unusual request patterns targeting BIG-IP virtual servers
Monitoring Recommendations
- Enable detailed logging for ASM and Advanced WAF security policies to capture request patterns preceding any crashes
- Set up automated alerts for bd process restarts using SNMP or syslog forwarding to a SIEM platform
- Regularly review /var/log/restjavad.0.log and related logs for signs of exploitation attempts
- Consider implementing SentinelOne Singularity for enhanced endpoint detection and response capabilities on infrastructure management systems
How to Mitigate CVE-2026-22548
Immediate Actions Required
- Review and apply the latest security patches from F5 as outlined in the vendor advisory
- Verify that BIG-IP systems are running supported software versions (End of Technical Support versions are not evaluated)
- Implement rate limiting on virtual servers to reduce the likelihood of triggering the race condition
- Consider temporarily increasing monitoring and alerting thresholds for the bd process
Patch Information
F5 has published a security advisory addressing this vulnerability. Administrators should consult the F5 Knowledge Base Article K000158072 for specific patch versions and upgrade instructions.
Ensure your BIG-IP system is running a software version that has not reached End of Technical Support (EoTS), as unsupported versions are not evaluated for this vulnerability and may remain unpatched.
Workarounds
- Implement additional network-layer protections such as IP allowlisting to limit access to virtual servers with WAF/ASM policies
- Configure automatic process restart policies to minimize downtime if the bd process terminates
- Deploy redundant BIG-IP devices in high-availability configurations to maintain service continuity during exploitation attempts
- Review and harden security policy configurations to minimize processing complexity where possible
# Example: Check bd process status on BIG-IP
tmsh show sys service bd
# Example: Review ASM logs for process crashes
grep -i "bd.*crash\|bd.*restart\|bd.*terminated" /var/log/asm
# Example: Enable process restart notifications via SNMP
tmsh modify sys snmp traps add { process-restart { community public } }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
