Security Alert (A26-05-26): Multiple Vulnerabilities in F5 Products

Description:

F5 has published security advisories to address multiple vulnerabilities in F5 Products. The details about the vulnerabilities can be found at the following website:
https://my.f5.com/manage/s/article/K000149743
https://my.f5.com/manage/s/article/K000150508
https://my.f5.com/manage/s/article/K000156581
https://my.f5.com/manage/s/article/K000156604
https://my.f5.com/manage/s/article/K000156734
https://my.f5.com/manage/s/article/K000156761
https://my.f5.com/manage/s/article/K000157895
https://my.f5.com/manage/s/article/K000157981
https://my.f5.com/manage/s/article/K000158029
https://my.f5.com/manage/s/article/K000158038
https://my.f5.com/manage/s/article/K000158070
https://my.f5.com/manage/s/article/K000158082
https://my.f5.com/manage/s/article/K000158971
https://my.f5.com/manage/s/article/K000158978
https://my.f5.com/manage/s/article/K000158979
https://my.f5.com/manage/s/article/K000159021
https://my.f5.com/manage/s/article/K000159034
https://my.f5.com/manage/s/article/K000160727
https://my.f5.com/manage/s/article/K000160788
https://my.f5.com/manage/s/article/K000160857
https://my.f5.com/manage/s/article/K000160862
https://my.f5.com/manage/s/article/K000160863
https://my.f5.com/manage/s/article/K000160874
https://my.f5.com/manage/s/article/K000160875
https://my.f5.com/manage/s/article/K000160876
https://my.f5.com/manage/s/article/K000160901
https://my.f5.com/manage/s/article/K000160903
https://my.f5.com/manage/s/article/K000160911
https://my.f5.com/manage/s/article/K000160916
https://my.f5.com/manage/s/article/K000160926
https://my.f5.com/manage/s/article/K000160932
https://my.f5.com/manage/s/article/K000160945
https://my.f5.com/manage/s/article/K000160971
https://my.f5.com/manage/s/article/K000160972
https://my.f5.com/manage/s/article/K000160973
https://my.f5.com/manage/s/article/K000160975
https://my.f5.com/manage/s/article/K000160979
https://my.f5.com/manage/s/article/K000160981
https://my.f5.com/manage/s/article/K000161018
https://my.f5.com/manage/s/article/K000161019
https://my.f5.com/manage/s/article/K000161021
https://my.f5.com/manage/s/article/K000161022
https://my.f5.com/manage/s/article/K000161023
https://my.f5.com/manage/s/article/K000161027
https://my.f5.com/manage/s/article/K000161028
https://my.f5.com/manage/s/article/K000161040
https://my.f5.com/manage/s/article/K000161056
https://my.f5.com/manage/s/article/K000161068
https://my.f5.com/manage/s/article/K000161107
https://my.f5.com/manage/s/article/K000161131
https://my.f5.com/manage/s/article/K000161244
https://my.f5.com/manage/s/article/K32950402
https://my.f5.com/manage/s/article/K35544022

Affected Systems:

• BIG-IP (all modules) versions 16.1.0 - 16.1.6, 17.1.0 - 17.1.2, 17.1.0 - 17.1.3, 17.5.0, 17.5.0 - 17.5.1, 21.0.0
• BIG-IP APM versions 16.1.0 - 16.1.6, 17.1.0 - 17.1.3, 17.5.0 - 17.5.1, 21.0.0
• BIG-IP Advanced WAF/ASM versions 16.1.0 - 16.1.6, 17.1.0 - 17.1.3, 17.5.0 - 17.5.1, 21.0.0
• BIG-IP DDoS Hybrid Defender versions 16.1.0 - 16.1.6, 17.1.0 - 17.1.3, 17.5.0 - 17.5.1
• BIG-IP DNS versions 16.1.0 - 16.1.6, 17.1.0 - 17.1.3, 17.5.0 - 17.5.1, 21.0.0
• BIG-IP Next CNF versions 1.1.0 - 1.4.1, 2.0.0 - 2.2.1
• BIG-IP Next SPK versions 1.7.0 - 1.9.2, 2.0.0 - 2.0.3
• BIG-IP Next for Kubernetes versions 2.0.0 - 2.1.1
• BIG-IP PEM versions 16.1.0 - 16.1.6, 17.1.0 - 17.1.3, 17.5.0 - 17.5.1, 21.0.0
• BIG-IP SSL Orchestrator versions 17.1.0 - 17.1.3, 17.5.0 - 17.5.1, 21.0.0
• BIG-IQ Centralized Management versions 8.4.0 - 8.4.1
• F5 DoS for NGINX versions 4.8.0
• F5 WAF for NGINX versions 5.9.0 - 5.12.1
• NGINX App Protect DoS versions 4.3.0 - 4.7.0
• NGINX App Protect WAF versions 4.9.0 - 4.16.0, 5.1.0 - 5.8.0
• NGINX Gateway Fabric versions 1.3.0 - 1.6.2, 2.0.0 - 2.6.0
• NGINX Ingress Controller versions 3.5.0 - 3.7.2, 4.0.0 - 4.0.1, 5.0.0 - 5.4.2
• NGINX Instance Manager versions 2.16.0 - 2.21.1
• NGINX Open Source versions 0.3.50 - 0.9.7, 1.0.0 - 1.30.0
• NGINX Plus versions R32 - R36

For detailed information of the affected systems, please refer to the corresponding security advisories at vendor's website.

Impact:

Successful exploitation of the vulnerabilities could lead to remote code execution, denial of service, elevation of privilege, information disclosure, security restriction bypass, spoofing or tampering on an affected system.

Recommendation:

Software updates for affected systems are now available. System administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. It is recommended to consult the product vendors for the fixes and assistance.

More Information:

• https://my.f5.com/manage/s/article/K000149743
• https://my.f5.com/manage/s/article/K000150508
• https://my.f5.com/manage/s/article/K000156581
• https://my.f5.com/manage/s/article/K000156604
• https://my.f5.com/manage/s/article/K000156734
• https://my.f5.com/manage/s/article/K000156761
• https://my.f5.com/manage/s/article/K000157895
• https://my.f5.com/manage/s/article/K000157981
• https://my.f5.com/manage/s/article/K000158029
• https://my.f5.com/manage/s/article/K000158038
• https://my.f5.com/manage/s/article/K000158070
• https://my.f5.com/manage/s/article/K000158082
• https://my.f5.com/manage/s/article/K000158971
• https://my.f5.com/manage/s/article/K000158978
• https://my.f5.com/manage/s/article/K000158979
• https://my.f5.com/manage/s/article/K000159021
• https://my.f5.com/manage/s/article/K000159034
• https://my.f5.com/manage/s/article/K000160727
• https://my.f5.com/manage/s/article/K000160788
• https://my.f5.com/manage/s/article/K000160857
• https://my.f5.com/manage/s/article/K000160862
• https://my.f5.com/manage/s/article/K000160863
• https://my.f5.com/manage/s/article/K000160874
• https://my.f5.com/manage/s/article/K000160875
• https://my.f5.com/manage/s/article/K000160876
• https://my.f5.com/manage/s/article/K000160901
• https://my.f5.com/manage/s/article/K000160903
• https://my.f5.com/manage/s/article/K000160911
• https://my.f5.com/manage/s/article/K000160916
• https://my.f5.com/manage/s/article/K000160926
• https://my.f5.com/manage/s/article/K000160932
• https://my.f5.com/manage/s/article/K000160945
• https://my.f5.com/manage/s/article/K000160971
• https://my.f5.com/manage/s/article/K000160972
• https://my.f5.com/manage/s/article/K000160973
• https://my.f5.com/manage/s/article/K000160975
• https://my.f5.com/manage/s/article/K000160979
• https://my.f5.com/manage/s/article/K000160981
• https://my.f5.com/manage/s/article/K000161018
• https://my.f5.com/manage/s/article/K000161019
• https://my.f5.com/manage/s/article/K000161021
• https://my.f5.com/manage/s/article/K000161022
• https://my.f5.com/manage/s/article/K000161023
• https://my.f5.com/manage/s/article/K000161027
• https://my.f5.com/manage/s/article/K000161028
• https://my.f5.com/manage/s/article/K000161040
• https://my.f5.com/manage/s/article/K000161056
• https://my.f5.com/manage/s/article/K000161068
• https://my.f5.com/manage/s/article/K000161107
• https://my.f5.com/manage/s/article/K000161131
• https://my.f5.com/manage/s/article/K000161244
• https://my.f5.com/manage/s/article/K32950402
• https://my.f5.com/manage/s/article/K35544022
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20916
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24464
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28758
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32643
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32673
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34019
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34176
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35062
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39455
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39458 (to CVE-2026-39459)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40060 (to CVE-2026-40061)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40067
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40423
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40435
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40460
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40462
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40618
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40629
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40631
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40698 (to CVE-2026-40699)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40701
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40703
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41217 (to CVE-2026-41219)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41225
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41227
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41953 (to CVE-2026-41954)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41956 (to CVE-2026-41957)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41959
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42058
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42063
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42406
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42408 (to CVE-2026-42409)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42778 (to CVE-2026-42781)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42919 (to CVE-2026-42920)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42924
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42926
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42930
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42934
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42937
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42945 (to CVE-2026-42946)