CVE-2026-22548 – This vulnerability in BIG-IP Advanced WAF or AS... (How to Fix)

Q: What is the severity of CVE-2026-22548?

CVE-2026-22548 has a CVSS score of 5.9 (MEDIUM). This vulnerability in BIG-IP Advanced WAF or ASM security policies allows attackers to cause the bd process to terminate through specific requests under certain conditions. This affects F5 BIG-IP systems running vulnerable versions with WAF/ASM policies configured. The impact is denial of service rather than data compromise.

📋 TL;DR

This vulnerability in BIG-IP Advanced WAF or ASM security policies allows attackers to cause the bd process to terminate through specific requests under certain conditions. This affects F5 BIG-IP systems running vulnerable versions with WAF/ASM policies configured. The impact is denial of service rather than data compromise.

💻 Affected Systems

Products:

F5 BIG-IP Advanced WAF
F5 BIG-IP ASM

Versions: Specific versions not disclosed in CVE; check F5 advisory for affected versions

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Advanced WAF or ASM security policy is configured on a virtual server. Systems with End of Technical Support (EoTS) versions are not evaluated.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for the affected virtual server, disrupting application availability until the bd process restarts automatically or manually.

🟠

Likely Case

Intermittent service disruptions as the bd process crashes and restarts, causing temporary application unavailability.

🟢

If Mitigated

Minimal impact with proper monitoring and automated process restart mechanisms in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires specific request patterns and conditions beyond attacker's control, making exploitation somewhat unpredictable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check F5 advisory K000158072 for specific fixed versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000158072

Restart Required: Yes

Instructions:

1. Review F5 advisory K000158072 for affected versions. 2. Upgrade to fixed version per F5 documentation. 3. Restart affected services after patching.

🔧 Temporary Workarounds

Disable vulnerable configurations

all

Temporarily remove or disable Advanced WAF/ASM security policies from vulnerable virtual servers

# Use F5 TMSH or GUI to modify virtual server configurations
# tmsh modify ltm virtual <vs_name> policies remove { <policy_name> }

🧯 If You Can't Patch

Implement network segmentation to limit access to vulnerable virtual servers
Deploy additional monitoring for bd process crashes and implement automated restart scripts

🔍 How to Verify

Check if Vulnerable:

Check if running affected BIG-IP version with WAF/ASM policies configured using 'tmsh show sys software' and review virtual server configurations

Check Version:

tmsh show sys software

Verify Fix Applied:

Verify upgraded to fixed version using 'tmsh show sys software' and confirm no bd process crashes occur during testing

📡 Detection & Monitoring

Log Indicators:

bd process termination/crash logs in /var/log/ltm
Application availability alerts
Increased process restart events

Network Indicators:

Unusual request patterns to WAF/ASM protected applications
Sudden service unavailability

SIEM Query:

source="/var/log/ltm" AND "bd process" AND (terminated OR crashed OR restart)

📊 Metadata

CVE ID: CVE-2026-22548

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-362

Published: February 4, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://my.f5.com/manage/s/article/K000158072

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22548, you might also want to check these: