Full Report
F5 security advisory (AV26-461)
Analysis Summary
# Vulnerability: F5 Multi-Product Security Updates (May 2026 Quarterly Notification)
## CVE Details
*Note: As this is a summary of a high-level security bulletin (AV26-461), multiple CVEs are addressed in the referenced Quarterly Security Notification.*
- **CVE ID:** Multiple (Refer to F5 K000160932 for specific IDs)
- **CVSS Score:** Variable (Up to High/Critical based on typical quarterly cycles)
- **CWE:** Multiple (Includes resource exhaustion, improper input validation, and bypass vulnerabilities)
## Affected Systems
- **Products:**
- BIG-IP (All modules, APM, Advanced WAF/ASM, DDoS Hybrid Defender, PEM)
- BIG-IP Next (CNF, SPK, and Kubernetes)
- BIG-IQ Centralized Management
- NGINX Family (NGINX Plus, Open Source, App Protect WAF/DoS, Gateway Fabric, Ingress Controller, Instance Manager)
- **Versions:**
- **BIG-IP Next CNF:** 1.1.0 to 1.4.1; 2.0.0 to 2.2.1
- **BIG-IP Next SPK:** 1.7.0 to 1.9.2; 2.0.0 to 2.0.3
- **NGINX Open Source:** 0.6.27 to 0.9.7; 1.0.0 to 1.30.0
- **NGINX Plus:** R32 to R36
- **NGINX App Protect WAF:** 4.9.0 to 4.16.0; 5.1.0 to 5.8.0
- **BIG-IQ:** 8.4.0
- **Configurations:** Specific to individual CVEs; generally affects management interfaces, data plane traffic processing, and control plane integrations.
## Vulnerability Description
This advisory covers the F5 May 2026 Quarterly Security Notification. Technical flaws typically included in these updates range from **Denial of Service (DoS)** via malformed packets, **Remote Code Execution (RCE)** in management components, and **Security Policy Bypasses** in WAF/ASM modules. The wide range of NGINX products mentioned suggests fixes for core protocol handling and ingress controller logic.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild at the time of publication (Standard for quarterly batch releases).
- **Complexity:** Varies (Typically Low to Medium).
- **Attack Vector:** Network (Most reported F5/NGINX vulnerabilities are network-accessible).
## Impact
- **Confidentiality:** Variable (Possible unauthorized data access in WAF bypass scenarios).
- **Integrity:** Variable (Potential for unauthorized configuration changes).
- **Availability:** High (Significant potential for DoS across BIG-IP and NGINX instances).
## Remediation
### Patches
Users are advised to upgrade to the following or later versions:
- **BIG-IP:** Refer to specific module guidance in K000160932.
- **BIG-IP Next CNF:** Upgrade to versions >2.2.1.
- **BIG-IP Next SPK:** Upgrade to versions >2.0.3 or >1.9.2.
- **NGINX Plus:** Upgrade to R37 or apply specific hotfixes.
- **NGINX Open Source:** Update to the latest stable branch.
### Workarounds
- Restrict access to the Management Interface (MGMT port) to trusted networks only.
- Disable unused services or features identified in specific CVE advisories.
- For WAF bypasses, implement manual custom signatures where applicable.
## Detection
- **Indicators of Compromise:** Unusual spikes in CPU/Memory (DoS), unexpected administrative logins, or unauthorized file system changes on BIG-IP appliances.
- **Detection methods:** Review system logs (`/var/log/ltm`, `/var/log/secure`) and NGINX error logs. Utilize F5 BIG-IP iHealth for automated vulnerability scanning of active configurations.
## References
- **Vendor Advisory:** hxxps[://]my[.]f5[.]com/manage/s/article/K000160932
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/f5-security-advisory-av26-461