Scanner gratuitement

Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2026-39455CVSS 7.5

CVE-2026-39455: File Descriptor Exhaustion in F5 BIG-IP

Plateforme

linux

Composant

bigip

Corrigé dans

21.0.0.2

Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2026-39455 affects F5 BIG-IP systems utilizing Lightweight Directory Access Protocol (LDAP) authentication. A misconfiguration can trigger an undisclosed traffic pattern, causing the httpd process to exhaust available file descriptors, resulting in a denial-of-service condition. This vulnerability impacts versions 16.1.0 through 21.0.0.2, and a fix is available in version 21.0.0.2.

Impact et Scénarios d'Attaquetraduction en cours…

Successful exploitation of CVE-2026-39455 can lead to a denial-of-service (DoS) attack, rendering the affected BIG-IP system unavailable. This disruption can impact critical services relying on the BIG-IP infrastructure, such as load balancing, web application delivery, and security features. The impact extends beyond the immediate system, potentially affecting applications and users dependent on the BIG-IP's functionality. While the vulnerability doesn't directly expose sensitive data, the DoS can disrupt operations and potentially mask other malicious activity. The blast radius is limited to the services managed by the affected BIG-IP instance.

Contexte d'Exploitationtraduction en cours…

CVE-2026-39455 has been published on 2026-05-13. Its severity is rated HIGH (CVSS 7.5). Public proof-of-concept (POC) code is currently unavailable. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the short term. Monitor F5 security advisories and threat intelligence feeds for updates.

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée

CISA SSVC

Exploitationnone
Automatisableyes
Impact Techniquepartial

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredNoneNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityNoneRisque d'exposition de données sensiblesIntegrityNoneRisque de modification non autorisée de donnéesAvailabilityHighRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Aucun — sans authentification. Aucune identifiant requis pour exploiter.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Aucun — aucun impact sur la confidentialité.
Integrity
Aucun — aucun impact sur l'intégrité.
Availability
Élevé — panne complète ou épuisement des ressources. Déni de service total.

Logiciel Affecté

Composantbigip
FournisseurF5
Version minimale16.1.0
Version maximale21.0.0.2
Corrigé dans21.0.0.2

Classification de Faiblesse (CWE)

CWE-772

Chronologie

  1. Réservé
  2. Publiée

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2026-39455 is upgrading to F5 BIG-IP version 21.0.0.2 or later, which includes the fix. If immediate upgrade is not feasible, implement temporary workarounds. Configure a Web Application Firewall (WAF) or proxy to limit or filter LDAP traffic to the BIG-IP system, specifically targeting the traffic pattern that triggers the file descriptor exhaustion. Review LDAP authentication configurations to ensure they adhere to security best practices and minimize unnecessary LDAP traffic. After upgrading, verify the fix by attempting to reproduce the vulnerability with the traffic pattern described in the advisory; the httpd process should not exhaust file descriptors.

Comment corrigertraduction en cours…

Actualice a una versión corregida de BIG-IP.  Las versiones afectadas incluyen 17.5.1.6, 17.1.3.2, 21.0.0.2 y versiones posteriores de 21.1.0. Consulte la documentación de F5 para obtener instrucciones detalladas de actualización y mitigación.

Questions fréquentestraduction en cours…

What is CVE-2026-39455 — File Descriptor Exhaustion in F5 BIG-IP?

CVE-2026-39455 is a HIGH severity vulnerability in F5 BIG-IP allowing LDAP authentication misconfigurations to exhaust file descriptors, causing a denial-of-service. It affects versions 16.1.0–21.0.0.2.

Am I affected by CVE-2026-39455 in F5 BIG-IP?

You are affected if you are running F5 BIG-IP versions 16.1.0 through 21.0.0.2 and have LDAP authentication enabled. Carefully review your LDAP configuration.

How do I fix CVE-2026-39455 in F5 BIG-IP?

Upgrade to F5 BIG-IP version 21.0.0.2 or later. As a temporary workaround, implement WAF rules to limit LDAP traffic.

Is CVE-2026-39455 being actively exploited?

Currently, there are no public reports of CVE-2026-39455 being actively exploited, but monitoring is crucial.

Where can I find the official F5 advisory for CVE-2026-39455?

Refer to the official F5 security advisory for CVE-2026-39455 on the F5 website: [https://www.f5.com/security/center/advisory/f5-security-advisory-26-07.html](https://www.f5.com/security/center/advisory/f5-security-advisory-26-07.html)

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE
en directfree scan

Essayez maintenant — sans compte

scanZone.subtitle

Scan manuelSlack/email alertsContinuous monitoringWhite-label reports

Glissez-déposez votre fichier de dépendances

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...