CVE-2026-40060 Overview
CVE-2026-40060 is a denial-of-service vulnerability affecting F5 BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM). When a security policy is configured on a virtual server, undisclosed HTTP requests can cause the bd (Bot Defense/enforcement) process to terminate. The vulnerability is categorized under [CWE-252] Unchecked Return Value and is exploitable over the network without authentication or user interaction.
Critical Impact
Remote attackers can crash the bd process on affected BIG-IP devices, disrupting WAF/ASM protection and degrading availability of services protected by the virtual server.
Affected Products
- F5 BIG-IP Advanced WAF (supported versions; End of Technical Support releases are not evaluated)
- F5 BIG-IP ASM (Application Security Manager) on virtual servers with an active security policy
- BIG-IP deployments where the bd enforcement process handles WAF/ASM traffic
Discovery Timeline
- 2026-05-13 - CVE-2026-40060 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40060
Vulnerability Analysis
The vulnerability resides in the bd daemon, which performs traffic inspection and policy enforcement for BIG-IP Advanced WAF and ASM. When a virtual server has a WAF or ASM security policy attached, specifically crafted requests trigger a condition that terminates the bd process. F5 has not disclosed the exact request structure that triggers the crash.
The issue is classified as [CWE-252] Unchecked Return Value. This weakness occurs when a function's return value, which signals error conditions, is not validated before subsequent operations execute. Operating on an unexpected state can lead to invalid memory access or assertion failures, ending in process termination.
When bd terminates, traffic processing for protected virtual servers is interrupted. Repeated triggers can produce a sustained denial-of-service condition against the data plane security functions.
Root Cause
The defect is a missing check on the return value of an internal function within the bd process. Under specific request conditions, the unchecked result causes the daemon to operate on invalid data and abort. F5 has not published technical details of the affected code path.
Attack Vector
An unauthenticated remote attacker sends crafted HTTP requests to a virtual server protected by a WAF or ASM security policy. No credentials, prior access, or user interaction are required. The attack targets availability only; confidentiality and integrity are not impacted.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploitation mechanics are documented in F5 Support Article K000160727.
Detection Methods for CVE-2026-40060
Indicators of Compromise
- Unexpected restarts of the bd process on BIG-IP devices, visible in /var/log/ltm and /var/log/asm
- Core dump files generated by bd under /var/savecore or /shared/core
- Gaps in WAF/ASM event logs corresponding to bd downtime windows
- Spikes in inbound HTTP traffic to virtual servers immediately preceding bd termination
Detection Strategies
- Monitor BIG-IP system logs for bd daemon termination, restart, or MCPD notifications about WAF process state
- Correlate WAF/ASM event log silence with virtual server availability checks to identify policy enforcement outages
- Use F5 iHealth or tmsh show sys service bd to inspect process uptime and restart counts
Monitoring Recommendations
- Forward BIG-IP syslog and ASM event logs to a centralized SIEM and alert on bd process crash patterns
- Track HTTP request anomalies targeting virtual servers with WAF/ASM policies attached
- Establish a baseline for bd process uptime and alert on deviations
How to Mitigate CVE-2026-40060
Immediate Actions Required
- Identify all BIG-IP virtual servers with Advanced WAF or ASM security policies attached using tmsh list ltm virtual
- Apply the fixed software versions referenced in F5 Support Article K000160727 as soon as they are available for your branch
- Restrict network access to BIG-IP virtual servers to known client networks where business requirements allow
- Confirm that BIG-IP instances on End of Technical Support versions are upgraded to a supported branch, since EoTS versions are not evaluated
Patch Information
F5 publishes fixed software versions and engineering hotfixes in F5 Support Article K000160727. Refer to the article for the version matrix that maps your installed release to the corresponding fix. Software versions that have reached End of Technical Support are not evaluated and require upgrade to a supported branch.
Workarounds
- Detach the WAF or ASM security policy from non-essential virtual servers until patching is complete, accepting the reduced application protection trade-off
- Place upstream rate limiting or an additional filtering layer in front of affected virtual servers to reduce exposure to crafted requests
- Enable BIG-IP high availability pairs and automatic failover to minimize downtime when bd terminates
# Identify virtual servers with WAF/ASM policies attached
tmsh list ltm virtual one-line | grep -i policies
# Check bd process status and restart count
tmsh show sys service bd
# Review recent bd-related log entries
grep -i "bd\|asm" /var/log/ltm | tail -n 200
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
