Cyber Resilience

CVE-2026-40067

HighUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 24.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40067 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer overflow (CWE-120) in public-facing APM service enables remote process termination via crafted traffic, directly mapping to application exploitation for endpoint DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37212Shared CWE-120
CVE-2025-50648Shared CWE-120
CVE-2020-37187Shared CWE-120
CVE-2020-37206Shared CWE-120
CVE-2025-20115Shared CWE-120
CVE-2021-47797Shared CWE-120
CVE-2025-50654Shared CWE-120
CVE-2020-37213Shared CWE-120
CVE-2018-25294Shared CWE-120
CVE-2024-24419Shared CWE-120

Affected Assets

f5
big-ip access policy manager
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References