CVE-2026-39458: DoS in F5 BIG-IP DNS Cache

The primary impact of CVE-2026-39458 is a denial-of-service condition. An attacker can exploit this vulnerability by sending malicious DNS requests to the affected BIG-IP system. Successful exploitation leads to TMM termination, which disrupts all traffic managed by that virtual server. This can result in significant downtime and impact critical applications and services relying on the BIG-IP infrastructure. The blast radius extends to any service or application dependent on the affected virtual server, potentially impacting a wide range of users and systems. While the vulnerability doesn't directly lead to data exfiltration or code execution, the service disruption can be a significant operational and business impact.

1. आरक्षित2026-04-30
2. प्रकाशित2026-05-13

The recommended mitigation for CVE-2026-39458 is to upgrade to BIG-IP version 21.0.0.1 or later, which contains the fix. If immediate upgrade is not feasible, consider implementing temporary workarounds. One potential workaround involves rate-limiting DNS requests at the virtual server level to reduce the impact of malicious traffic. Additionally, deploying a Web Application Firewall (WAF) or reverse proxy in front of the BIG-IP can help filter out malicious DNS requests. Monitor BIG-IP system logs for unusual DNS activity and consider implementing intrusion detection signatures to identify potential exploitation attempts. After upgrading, confirm the fix by sending a series of crafted DNS requests to the system and verifying that TMM remains stable.