CVE-2026-40629 Overview
CVE-2026-40629 is a denial-of-service vulnerability affecting F5 products where Secure Sockets Layer (SSL) profiles are configured on a virtual server. Undisclosed network traffic can cause the virtual server to stop processing new client connections, disrupting service availability. The flaw is categorized under [CWE-770] (Allocation of Resources Without Limits or Throttling). Software versions that have reached End of Technical Support (EoTS) are not evaluated by the vendor. The issue is remotely exploitable over the network without authentication or user interaction.
Critical Impact
A remote unauthenticated attacker can send crafted traffic that halts new client connections on affected SSL-enabled virtual servers, causing service downtime.
Affected Products
- F5 products with SSL profiles configured on virtual servers (see F5 advisory K000158978 for version matrix)
- Software versions in technical support; EoTS versions are not evaluated
- BIG-IP deployments terminating SSL/TLS traffic
Discovery Timeline
- 2026-05-13 - CVE-2026-40629 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40629
Vulnerability Analysis
The vulnerability resides in the SSL traffic processing path of F5 virtual servers. When undisclosed traffic patterns reach a virtual server configured with an SSL profile, the server enters a state where it no longer accepts new client connections. Existing sessions may continue, but service availability for new clients is broken until intervention.
The weakness maps to [CWE-770], indicating resource allocation without proper limits or throttling. The EPSS data places exploitation probability low at the time of publication, but the network-reachable, unauthenticated nature of the attack increases operational risk for internet-facing virtual servers.
Root Cause
The root cause is improper resource management in the SSL processing logic. Specific traffic conditions consume or block connection-handling resources, preventing the virtual server from accepting subsequent client TCP connections. The vendor has not disclosed the exact traffic pattern in order to limit pre-patch exploitation.
Attack Vector
An attacker sends crafted traffic to a virtual server with an active SSL profile. No authentication, privileges, or user interaction are required. The result is a denial of service against the virtual server's capacity to handle new client connections. The vendor has withheld technical specifics of the triggering traffic. See the F5 Knowledge Article K000158978 for details.
Detection Methods for CVE-2026-40629
Indicators of Compromise
- Sudden drop in new client connection counts on virtual servers with SSL profiles while existing connections remain active
- Connection timeouts or TCP SYN responses ceasing on TLS-terminating virtual IPs (VIPs)
- Health monitor failures and load balancer pool member alerts coinciding with anomalous TLS traffic
Detection Strategies
- Baseline new-connection-per-second metrics on SSL virtual servers and alert on sharp declines
- Inspect F5 logs (/var/log/ltm) for SSL handshake errors or connection table anomalies
- Correlate inbound traffic spikes from single sources against connection acceptance rate drops
Monitoring Recommendations
- Enable SNMP and telemetry streaming for clientside.cur_conns and clientside.tot_conns counters per virtual server
- Monitor TLS handshake success and failure rates from network packet capture or flow telemetry
- Set thresholds on virtual server availability via external synthetic probes for early outage detection
How to Mitigate CVE-2026-40629
Immediate Actions Required
- Review the F5 Knowledge Article K000158978 and identify affected versions in your fleet
- Apply vendor-supplied fixed releases to all BIG-IP systems running SSL-enabled virtual servers
- Restrict virtual server exposure to trusted networks where business requirements allow
Patch Information
F5 published remediation guidance in Knowledge Article K000158978. Administrators should upgrade to a fixed software version listed by F5 for their product line. Versions that have reached End of Technical Support are not evaluated and should be migrated to supported releases.
Workarounds
- Apply ingress access control lists (ACLs) to limit which source addresses can reach SSL-enabled virtual servers
- Deploy upstream rate limiting and connection throttling at perimeter firewalls or DDoS mitigation devices
- Configure F5 connection limits and eviction policies on affected virtual servers to reduce exposure
- Use redundant virtual servers with health-based failover to maintain availability during an attack
# Example: apply a source address restriction and connection limit on a BIG-IP virtual server
tmsh modify ltm virtual /Common/vs_https source-address-translation { type automap }
tmsh modify ltm virtual /Common/vs_https connection-limit 50000
tmsh modify ltm virtual /Common/vs_https rules { /Common/restrict_sources }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
