Scan free
HIGHCVE-2026-41956CVSS 7.5

CVE-2026-41956: DoS in F5 BIG-IP via UDP Classification

Platform

linux

Component

bigip

Fixed in

17.5.1.4

View on NVD
Save

CVE-2026-41956 describes a denial-of-service (DoS) vulnerability in F5 BIG-IP. When a classification profile is configured on a UDP virtual server, specially crafted requests can trigger a crash in the Traffic Management Microkernel (TMM), leading to service disruption. This vulnerability impacts versions 16.1.0 through 17.5.1.4, and a fix is available in version 17.5.1.4.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-41956 allows an attacker to induce a denial-of-service condition on the affected F5 BIG-IP system. This results in the Traffic Management Microkernel (TMM) terminating, effectively halting traffic processing and rendering the virtual server unavailable. The impact can range from temporary service outages to prolonged disruptions, potentially affecting critical applications and services dependent on the BIG-IP infrastructure. The blast radius is limited to the specific UDP virtual server and its associated services, but widespread impact is possible if the affected BIG-IP device handles high-volume traffic or is a critical component of the network infrastructure. While no public exploits are currently available, the DoS nature of the vulnerability makes it a potential target for opportunistic attacks.

Exploitation Context

CVE-2026-41956 was published on May 13, 2026. The vulnerability is not currently listed on CISA KEV or EPSS, suggesting a low to medium probability of exploitation. No public proof-of-concept (POC) code is currently available. Given the DoS nature of the vulnerability and the potential for easy exploitation via crafted requests, it is recommended to prioritize remediation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentbigip
VendorF5
Minimum version16.1.0
Maximum version17.5.1.4
Fixed in17.5.1.4

Weakness Classification (CWE)

CWE-121

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2026-41956 is to upgrade F5 BIG-IP to version 17.5.1.4 or later, which contains the fix. If immediate upgrade is not feasible, consider implementing temporary workarounds. Review and restrict access to UDP virtual servers with classification profiles, limiting exposure to untrusted sources. Implement rate limiting on UDP traffic to mitigate the impact of potential DoS attacks. Monitor BIG-IP system logs for unusual traffic patterns or error messages related to TMM crashes. After upgrading, confirm the fix by sending a test request to the affected UDP virtual server and verifying that TMM remains stable.

How to fix

Actualice su sistema BIG-IP a una versión que incluya la corrección para evitar la terminación inesperada de TMM. Consulte la nota de seguridad de F5 (https://my.f5.com/manage/s/article/K000158038) para obtener más detalles y las versiones específicas afectadas y corregidas.

Frequently asked questions

What is CVE-2026-41956 — DoS in F5 BIG-IP?

CVE-2026-41956 is a denial-of-service vulnerability affecting F5 BIG-IP versions 16.1.0 through 17.5.1.4. Malicious requests can crash the Traffic Management Microkernel (TMM), causing service disruption.

Am I affected by CVE-2026-41956 in F5 BIG-IP?

You are affected if you are running F5 BIG-IP versions 16.1.0 through 17.5.1.4 and have UDP virtual servers configured with classification profiles.

How do I fix CVE-2026-41956 in F5 BIG-IP?

Upgrade to F5 BIG-IP version 17.5.1.4 or later to resolve the vulnerability. Consider temporary workarounds like rate limiting if immediate upgrade is not possible.

Is CVE-2026-41956 being actively exploited?

There are currently no reports of active exploitation, but the DoS nature of the vulnerability makes it a potential target.

Where can I find the official F5 advisory for CVE-2026-41956?

Refer to the official F5 security advisory for CVE-2026-41956 on the F5 website (https://www.f5.com/security/center/alerts).

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...