CVE-2026-40067 Overview
CVE-2026-40067 is a denial-of-service vulnerability affecting F5 BIG-IP Access Policy Manager (APM). When an APM access policy is configured on a virtual server, undisclosed traffic patterns can cause the apmd process to terminate. This disrupts authentication and access enforcement for any application protected by the affected virtual server. The flaw is categorized under [CWE-120] (Buffer Copy without Checking Size of Input). Remote, unauthenticated attackers can trigger the condition over the network without user interaction. F5 published the issue in advisory K000161056, noting that versions which have reached End of Technical Support are not evaluated.
Critical Impact
Remote, unauthenticated attackers can crash the apmd process on BIG-IP APM, breaking access policy enforcement and causing denial of service for protected applications.
Affected Products
- F5 BIG-IP Access Policy Manager (APM)
- BIG-IP virtual servers configured with an APM access policy
- Specific supported versions listed in F5 advisory K000161056
Discovery Timeline
- 2026-05-13 - CVE-2026-40067 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40067
Vulnerability Analysis
The vulnerability resides in apmd, the daemon responsible for evaluating BIG-IP Access Policy Manager policies. When a virtual server has an APM access policy attached, the daemon processes inbound traffic to apply authentication and authorization controls. Undisclosed traffic patterns trigger a fault in apmd that causes the process to terminate.
The CWE-120 classification indicates the underlying defect is a buffer copy without sufficient input size validation. The vulnerability impacts availability only. Confidentiality and integrity are not affected, and the issue does not lead to code execution based on the available advisory data.
F5 has not published exploit code, and no public proof-of-concept is available. The EPSS data indicates a low near-term exploitation probability, but the attack vector is network-based and requires no privileges or user interaction.
Root Cause
The root cause is improper bounds checking in input handling within apmd. Malformed or specifically crafted traffic reaching a virtual server bound to an APM access policy causes the daemon to crash. F5's advisory references this as [CWE-120], a classic buffer copy weakness.
Attack Vector
An unauthenticated remote attacker sends crafted traffic to a BIG-IP virtual server that has an APM access policy enabled. The traffic is processed by apmd, which terminates upon parsing the malformed input. Repeated triggers can sustain a denial-of-service condition against access-controlled applications. Refer to the F5 Security Advisory K000161056 for traffic and version specifics.
Detection Methods for CVE-2026-40067
Indicators of Compromise
- Repeated apmd process crashes or core dumps on BIG-IP systems
- Sudden loss of access policy enforcement on APM-protected virtual servers
- Authentication failures or session interruptions for end users after malformed traffic events
- High-availability failover events tied to APM service termination
Detection Strategies
- Monitor BIG-IP system logs (/var/log/apm, /var/log/ltm) for apmd termination, restart, or core dump messages
- Alert on process supervisor events that restart apmd outside of maintenance windows
- Correlate APM service interruptions with inbound traffic anomalies on virtual servers configured with access policies
Monitoring Recommendations
- Enable centralized log forwarding from BIG-IP devices to a SIEM and create rules for apmd crash signatures
- Track availability metrics for APM-protected virtual servers and alert on sudden drops in successful authentications
- Capture packet samples on virtual servers with APM policies to support post-incident analysis of crash-inducing traffic
How to Mitigate CVE-2026-40067
Immediate Actions Required
- Review the F5 Security Advisory K000161056 and identify any BIG-IP versions in your environment matching the affected list
- Upgrade affected BIG-IP APM instances to a fixed software version published by F5
- Restrict network reachability to virtual servers with APM access policies, allowing only trusted source ranges where feasible
- Validate that End of Technical Support (EoTS) versions are decommissioned, as F5 does not evaluate them for this CVE
Patch Information
F5 has published fixed software versions through its support portal. Refer to F5 advisory K000161056 for the authoritative list of fixed releases per BIG-IP branch. Apply the vendor-supplied update through standard BIG-IP upgrade procedures and verify apmd stability after the upgrade.
Workarounds
- Where patching is not immediately possible, apply network access controls in front of BIG-IP virtual servers to limit exposure to untrusted sources
- Detach the APM access policy from non-essential virtual servers until the patch is applied, accepting the loss of access controls in exchange for stability
- Enable process monitoring to automatically restart apmd on termination, reducing outage duration
# Configuration example
# Verify BIG-IP version and APM policy bindings
tmsh show /sys version
tmsh list /ltm virtual one-line | grep -i apm
# Monitor apmd process state
bigstart status apmd
tail -f /var/log/apm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
