CVE-2026-40618 Overview
CVE-2026-40618 affects F5 BIG-IP systems when an SSL profile is configured on a virtual server. The vulnerability impacts BIG-IP Virtual Edition (VE) instances without Intel QuickAssist Technology (QAT) and BIG-IP hardware platforms where the crypto.hwacceleration database variable is set to disabled. Undisclosed network traffic can cause the Traffic Management Microkernel (TMM) to terminate, producing a denial-of-service condition. The flaw is classified under [CWE-131] (Incorrect Calculation of Buffer Size). F5 notes that software versions which have reached End of Technical Support (EoTS) are not evaluated for this issue.
Critical Impact
Unauthenticated network attackers can trigger TMM termination, disrupting load balancing and SSL/TLS traffic processing on affected BIG-IP deployments.
Affected Products
- F5 BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT)
- F5 BIG-IP hardware platforms with crypto.hwacceleration set to disabled
- Virtual servers configured with an SSL profile on the above deployments
Discovery Timeline
- 2026-05-13 - CVE-2026-40618 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40618
Vulnerability Analysis
The vulnerability resides in the Traffic Management Microkernel (TMM), the core data-plane component responsible for processing traffic on BIG-IP devices. When a virtual server is configured with an SSL profile and cryptographic operations are handled in software rather than offloaded to hardware, specific undisclosed traffic patterns cause TMM to terminate.
Termination of TMM disrupts all traffic flowing through the BIG-IP, including load-balanced application traffic, SSL/TLS termination, and policy enforcement. Although the device typically restarts TMM automatically, repeated termination produces sustained service disruption for protected applications.
The issue is scoped to configurations lacking hardware crypto acceleration. BIG-IP hardware platforms running with crypto.hwacceleration set to the default enabled state, and VE instances using QAT, are not affected.
Root Cause
The weakness is categorized as [CWE-131] (Incorrect Calculation of Buffer Size). The software-only crypto path within TMM miscomputes buffer sizing when processing certain SSL traffic, resulting in a fatal condition that terminates the TMM process. F5 has not publicly disclosed the precise traffic characteristics that trigger the condition.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker only needs to reach a virtual server that has an SSL profile bound to it on a vulnerable BIG-IP. By sending the triggering traffic, the attacker forces TMM to terminate, interrupting all proxied connections handled by the device.
Since exploitation requires only reachability to an exposed SSL-enabled virtual server, internet-facing BIG-IP deployments are the highest-risk targets. See the F5 Support Article K000158082 for vendor technical details.
Detection Methods for CVE-2026-40618
Indicators of Compromise
- Unexpected TMM restarts logged in /var/log/ltm with messages indicating TMM process termination or core dumps.
- Core files generated under /var/core/ referencing the tmm process around the time of suspected exploitation.
- Brief but recurring drops in client connections, SSL handshake failures, or virtual server availability alerts.
Detection Strategies
- Monitor BIG-IP system logs (/var/log/ltm, /var/log/tmm) for repeated tmm restart events and panic messages.
- Correlate TMM termination events with inbound traffic captures on affected virtual servers to identify suspicious source addresses or traffic patterns.
- Track SNMP and iHealth telemetry for abnormal tmm uptime resets and SSL profile error counters.
Monitoring Recommendations
- Forward BIG-IP syslog to a centralized SIEM and alert on tmm crash signatures.
- Baseline normal SSL handshake volumes per virtual server and alert on anomalous spikes preceding TMM restarts.
- Review crypto.hwacceleration settings across the fleet and flag devices running with the variable disabled.
How to Mitigate CVE-2026-40618
Immediate Actions Required
- Apply the fixed BIG-IP software versions listed in F5 Support Article K000158082 as soon as they are validated in a test environment.
- Identify all virtual servers with SSL profiles attached and confirm whether they run on VE without QAT or on hardware with crypto.hwacceleration disabled.
- Restrict network exposure of vulnerable virtual servers to trusted sources until patches are deployed.
Patch Information
F5 has published guidance and fixed version information in F5 Support Article K000158082. Upgrade affected BIG-IP systems to a version listed as not vulnerable. Software versions that have reached End of Technical Support are not evaluated and should be migrated to a supported release.
Workarounds
- On affected BIG-IP hardware platforms, re-enable hardware crypto acceleration by setting the crypto.hwacceleration database variable to enabled, where supported by the platform.
- For BIG-IP VE workloads, migrate to instances that provide Intel QuickAssist Technology (QAT) support.
- Limit inbound access to SSL-enabled virtual servers using network ACLs, AFM policies, or upstream firewalls until patching is complete.
# Configuration example: enable hardware crypto acceleration on supported BIG-IP hardware
tmsh modify sys db crypto.hwacceleration value enable
tmsh save sys config
# Verify current setting
tmsh list sys db crypto.hwacceleration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
