CVE-2026-40423 is a resource allocation vulnerability in F5 BIG-IP's Traffic Management Microkernel (TMM). Specifically, when a SIP profile is configured on a virtual server, certain undisclosed traffic patterns can cause the TMM process to terminate unexpectedly. This results in denial of service conditions. The vulnerability affects multiple versions of BIG-IP (21.0.0, 17.5.0, 17.1.0, and 16.1.0). The CVSS v3.1 base score is 7.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, and high impact on availability. No official fix or patch has been announced as of the published date. The vulnerability is categorized under CWE-770, indicating improper resource allocation without limits or throttling.

The vulnerability causes the Traffic Management Microkernel (TMM) on affected BIG-IP versions to terminate when processing certain SIP traffic, leading to denial of service. There is no impact on confidentiality or integrity. The service disruption could affect availability of the BIG-IP system functions relying on TMM. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, monitor the vendor's security advisories for updates. Until a patch is released, consider limiting or filtering SIP traffic to affected virtual servers if feasible to reduce exposure. Avoid using affected versions if possible or plan for upgrade once a fix is available.