Cyber Resilience

CVE-2026-39455

HighUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 21.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39455 is a high-severity Missing Release of Resource after Effective Lifetime (CWE-772) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors. Note: Software versions which have reached End of Technical Support (EoTS) are…

more

not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vuln in public-facing BIG-IP config utility (LDAP auth) allows resource exhaustion DoS via crafted traffic, directly enabling T1190 exploitation and T1499.004 application exhaustion.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22891Shared CWE-772
CVE-2025-24120Shared CWE-772
CVE-2026-35227Shared CWE-772
CVE-2026-2359Shared CWE-772
CVE-2026-42577Shared CWE-772
CVE-2025-30256Shared CWE-772
CVE-2026-3104Shared CWE-772
CVE-2026-20082Shared CWE-772
CVE-2026-2261Shared CWE-772
CVE-2025-27421Shared CWE-772

Affected Assets

f5
big-ip access policy manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip advanced firewall manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip advanced web application firewall
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip analytics
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip application acceleration manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip application security manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip application visibility and reporting
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip automation toolchain
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip carrier-grade nat
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip container ingress services
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
+11 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-772

Ensures network resources are released once the session ends or becomes inactive, closing the window for missing-release weaknesses.

References