CVE-2026-40423 Overview
CVE-2026-40423 affects F5 BIG-IP virtual servers configured with a Session Initiation Protocol (SIP) profile. Undisclosed network traffic sent to an affected virtual server can cause the Traffic Management Microkernel (TMM) to terminate. Termination of TMM disrupts data plane traffic processing and results in a denial-of-service (DoS) condition.
The vulnerability is tracked under CWE-770: Allocation of Resources Without Limits or Throttling. F5 has not evaluated software versions that have reached End of Technical Support (EoTS).
Critical Impact
An unauthenticated remote attacker can trigger TMM process termination on F5 BIG-IP devices with a SIP profile attached to a virtual server, disrupting all traffic processed by the affected appliance.
Affected Products
- F5 BIG-IP appliances with a SIP profile configured on a virtual server
- Refer to F5 Security Article K000161023 for the full list of evaluated versions
- Software versions that have reached End of Technical Support (EoTS) are not evaluated
Discovery Timeline
- 2026-05-13 - CVE-2026-40423 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40423
Vulnerability Analysis
The Traffic Management Microkernel (TMM) is the core data plane component of F5 BIG-IP. It handles all traffic that traverses the appliance, including SIP signaling when a SIP profile is attached to a virtual server. When TMM terminates, the device fails to process traffic until the process restarts.
The flaw is triggered by undisclosed SIP-related traffic sent to a virtual server bound to a SIP profile. F5 has not published the specific malformed message structure that triggers the condition. The advisory categorizes the issue under [CWE-770], indicating that resources allocated during SIP processing are not properly constrained.
Exploitation results in a denial-of-service condition affecting the availability of the data plane. Confidentiality and integrity are not impacted.
Root Cause
The root cause is improper resource handling within the SIP processing path inside TMM. Specific malformed or unexpected SIP traffic consumes resources or reaches an invalid state that causes the TMM process to abort. Because TMM is the central traffic handler, its termination cascades into a service outage.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted traffic to a TCP or UDP port serviced by a virtual server with a SIP profile attached. Any reachable virtual server using a SIP profile is exposed.
No public proof-of-concept code or exploit is available at the time of publication. The EPSS data reflects no current evidence of in-the-wild exploitation. Technical specifics of the triggering packet structure remain undisclosed in F5 Security Article K000161023.
Detection Methods for CVE-2026-40423
Indicators of Compromise
- Unexpected TMM core dump files generated on the BIG-IP appliance
- tmm process restart entries in /var/log/ltm or /var/log/tmm
- Sudden loss of traffic processing on virtual servers with SIP profiles attached
- Failover events on high-availability BIG-IP pairs triggered by TMM termination
Detection Strategies
- Monitor BIG-IP system logs for tmm restart messages and core dump generation events
- Correlate SIP traffic spikes from unusual sources with TMM availability metrics
- Inspect SIP traffic destined to SIP-profile virtual servers for malformed headers or non-RFC-compliant messages
- Enable iRules logging on SIP virtual servers to capture session-level anomalies preceding TMM failure
Monitoring Recommendations
- Forward BIG-IP /var/log/ltm, /var/log/tmm, and audit logs to a centralized SIEM for retention and alerting
- Alert on any tmm process restart or core dump creation across the fleet
- Track virtual server availability and connection-rate anomalies on SIP-profile virtual servers
- Baseline normal SIP traffic sources and alert on connections from unexpected networks
How to Mitigate CVE-2026-40423
Immediate Actions Required
- Apply the fixed software versions identified in F5 Security Article K000161023
- Inventory all BIG-IP virtual servers using SIP profiles and prioritize them for patching
- Restrict network access to SIP-profile virtual servers using firewall rules and AFM policies
- Validate that BIG-IP instances on EoTS software are upgraded to a supported, evaluated version
Patch Information
F5 has published remediation guidance in F5 Security Article K000161023. Administrators should review the article for the list of fixed versions and apply the appropriate upgrade for their BIG-IP branch. Versions past End of Technical Support are not evaluated and should be migrated to a supported release.
Workarounds
- Remove the SIP profile from virtual servers that do not require SIP processing
- Apply source-IP allow-listing to SIP virtual servers via AFM or upstream firewalls to limit exposure to trusted SIP peers
- Use rate limiting on SIP virtual servers to reduce the volume of unexpected traffic
- Configure BIG-IP HA pairs to fail over gracefully and monitor for repeated failovers indicating exploitation attempts
# Example: list virtual servers with a SIP profile attached
tmsh list ltm virtual one-line | grep -i sip
# Example: remove a SIP profile from a virtual server if not required
tmsh modify ltm virtual <vs_name> profiles delete { sip }
# Example: restrict source addresses on a SIP virtual server
tmsh modify ltm virtual <vs_name> source-address-translation { type automap } \
vlans-enabled vlans add { trusted_sip_vlan }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
