Cyber Resilience

CVE-2026-40060

HighUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 24.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40060 is a high-severity Unchecked Return Value (CWE-252) vulnerability in F5 Big-Ip Application Security Manager. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote crafted requests to public-facing WAF/ASM virtual server crash bd process (CWE-252), enabling application exploitation for DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40092Shared CWE-252
CVE-2025-25724Shared CWE-252
CVE-2026-35468Shared CWE-252
CVE-2026-34065Shared CWE-252
CVE-2026-21920Shared CWE-252
CVE-2026-0723Shared CWE-252
CVE-2026-28691Shared CWE-252
CVE-2026-31830Shared CWE-252
CVE-2026-22255Shared CWE-252
CVE-2026-22047Shared CWE-252

Affected Assets

f5
big-ip application security manager
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1
f5
big-ip advanced web application firewall
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References