This vulnerability (CVE-2026-40060) involves an unchecked return value (CWE-252) in the bd process of F5 BIG-IP devices when Advanced WAF or ASM security policies are applied to virtual servers. The unchecked return value can cause the bd process to terminate unexpectedly, leading to a denial of service. The issue affects multiple versions of BIG-IP, specifically 16.1.0, 17.1.0, 17.5.0, and 21.0.0. The CVSS v3.1 base score is 7.5, reflecting a network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact. The vulnerability is published and reserved by F5 but no patch or remediation level has been disclosed yet. The software versions that have reached End of Technical Support are excluded from evaluation.

The impact of this vulnerability is a denial of service condition caused by the termination of the bd process on affected BIG-IP devices. This can disrupt the availability of services relying on the BIG-IP virtual servers configured with Advanced WAF or ASM policies. There is no reported impact on confidentiality or integrity. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, monitor vendor communications for updates. No specific mitigations or workarounds are provided in the available data.