Scan free
HIGHCVE-2026-39455CVSS 7.5

CVE-2026-39455: File Descriptor Exhaustion in F5 BIG-IP

Platform

linux

Component

bigip

Fixed in

21.0.0.2

View on NVD
Save

CVE-2026-39455 affects F5 BIG-IP systems utilizing Lightweight Directory Access Protocol (LDAP) authentication. A misconfiguration can trigger an undisclosed traffic pattern, causing the httpd process to exhaust available file descriptors, resulting in a denial-of-service condition. This vulnerability impacts versions 16.1.0 through 21.0.0.2, and a fix is available in version 21.0.0.2.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-39455 can lead to a denial-of-service (DoS) attack, rendering the affected BIG-IP system unavailable. This disruption can impact critical services relying on the BIG-IP infrastructure, such as load balancing, web application delivery, and security features. The impact extends beyond the immediate system, potentially affecting applications and users dependent on the BIG-IP's functionality. While the vulnerability doesn't directly expose sensitive data, the DoS can disrupt operations and potentially mask other malicious activity. The blast radius is limited to the services managed by the affected BIG-IP instance.

Exploitation Context

CVE-2026-39455 has been published on 2026-05-13. Its severity is rated HIGH (CVSS 7.5). Public proof-of-concept (POC) code is currently unavailable. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the short term. Monitor F5 security advisories and threat intelligence feeds for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentbigip
VendorF5
Minimum version16.1.0
Maximum version21.0.0.2
Fixed in21.0.0.2

Weakness Classification (CWE)

CWE-772

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2026-39455 is upgrading to F5 BIG-IP version 21.0.0.2 or later, which includes the fix. If immediate upgrade is not feasible, implement temporary workarounds. Configure a Web Application Firewall (WAF) or proxy to limit or filter LDAP traffic to the BIG-IP system, specifically targeting the traffic pattern that triggers the file descriptor exhaustion. Review LDAP authentication configurations to ensure they adhere to security best practices and minimize unnecessary LDAP traffic. After upgrading, verify the fix by attempting to reproduce the vulnerability with the traffic pattern described in the advisory; the httpd process should not exhaust file descriptors.

How to fix

Actualice a una versión corregida de BIG-IP.  Las versiones afectadas incluyen 17.5.1.6, 17.1.3.2, 21.0.0.2 y versiones posteriores de 21.1.0. Consulte la documentación de F5 para obtener instrucciones detalladas de actualización y mitigación.

Frequently asked questions

What is CVE-2026-39455 — File Descriptor Exhaustion in F5 BIG-IP?

CVE-2026-39455 is a HIGH severity vulnerability in F5 BIG-IP allowing LDAP authentication misconfigurations to exhaust file descriptors, causing a denial-of-service. It affects versions 16.1.0–21.0.0.2.

Am I affected by CVE-2026-39455 in F5 BIG-IP?

You are affected if you are running F5 BIG-IP versions 16.1.0 through 21.0.0.2 and have LDAP authentication enabled. Carefully review your LDAP configuration.

How do I fix CVE-2026-39455 in F5 BIG-IP?

Upgrade to F5 BIG-IP version 21.0.0.2 or later. As a temporary workaround, implement WAF rules to limit LDAP traffic.

Is CVE-2026-39455 being actively exploited?

Currently, there are no public reports of CVE-2026-39455 being actively exploited, but monitoring is crucial.

Where can I find the official F5 advisory for CVE-2026-39455?

Refer to the official F5 security advisory for CVE-2026-39455 on the F5 website: [https://www.f5.com/security/center/advisory/f5-security-advisory-26-07.html](https://www.f5.com/security/center/advisory/f5-security-advisory-26-07.html)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...