CVE-2026-40629: CWE-770 Allocation of Resources Without Limits or Throttling in F5 BIG-IP
When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-40629) in F5 BIG-IP occurs when SSL profiles are configured on a virtual server. Undisclosed traffic patterns can exhaust resources due to lack of allocation limits or throttling, causing the virtual server to stop accepting new client connections. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). It affects versions 16.1.0, 17.1.0, and 17.5.0 of BIG-IP. The CVSS v3.1 base score is 7.5, indicating high severity, with an impact on availability only (no confidentiality or integrity impact). There is no vendor advisory or patch information currently available, and no known exploits in the wild have been reported.
Potential Impact
The vulnerability causes a denial of service condition by preventing the virtual server from processing new client connections when SSL profiles are configured. This impacts the availability of the affected BIG-IP virtual servers but does not affect confidentiality or integrity of data. No known exploitation in the wild has been reported to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider limiting exposure of affected BIG-IP virtual servers to untrusted traffic or disabling SSL profiles if feasible. Monitor vendor communications for updates on patches or mitigations.
CVE-2026-40629: CWE-770 Allocation of Resources Without Limits or Throttling in F5 BIG-IP
Description
When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-40629) in F5 BIG-IP occurs when SSL profiles are configured on a virtual server. Undisclosed traffic patterns can exhaust resources due to lack of allocation limits or throttling, causing the virtual server to stop accepting new client connections. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). It affects versions 16.1.0, 17.1.0, and 17.5.0 of BIG-IP. The CVSS v3.1 base score is 7.5, indicating high severity, with an impact on availability only (no confidentiality or integrity impact). There is no vendor advisory or patch information currently available, and no known exploits in the wild have been reported.
Potential Impact
The vulnerability causes a denial of service condition by preventing the virtual server from processing new client connections when SSL profiles are configured. This impacts the availability of the affected BIG-IP virtual servers but does not affect confidentiality or integrity of data. No known exploitation in the wild has been reported to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider limiting exposure of affected BIG-IP virtual servers to untrusted traffic or disabling SSL profiles if feasible. Monitor vendor communications for updates on patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- f5
- Date Reserved
- 2026-04-30T23:02:47.678Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04970dcbff5d8610dff59d
Added to database: 5/13/2026, 3:21:49 PM
Last enriched: 5/13/2026, 3:54:16 PM
Last updated: 5/14/2026, 6:49:06 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.