F5 released its February 2026 Quarterly Security Notification on February 4, announcing several medium and low-severity CVEs, plus a security exposure affecting BIG-IP, NGINX, and container services.
These issues primarily stem from denial-of-service (DoS) risks and configuration weaknesses, potentially disrupting high-traffic environments like web application firewalls (WAF) and Kubernetes ingress.
While no active exploits are reported, prompt patching is urged for internet-facing deployments to mitigate DoS chains or unauthorized access.
F5 provides CVSS v3.1 and v4.0 scores for first-party issues, emphasizing attack vector, privileges, and impact. A live briefing video is available via DevCentral. Details link to F5’s knowledge base.
These three flaws pose moderate DoS threats, with CVSS scores up to 8.2 (v4.0). Attackers could overwhelm services remotely.
| Article (CVE) | CVSS v3.1 / v4.0 | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|---|
| K000158072: BIG-IP Advanced WAF/ASM (CVE-2026-22548) | 5.9 / 8.2 | BIG-IP Advanced WAF/ASM | 17.1.0 – 17.1.2 | 17.1.3 |
| K000159824: NGINX (CVE-2026-1642) | 5.9 / 8.2 | NGINX Plus (R32-R36 P1), Open Source (1.3.0-1.29.4), Ingress Controller (5.3.0-5.3.2; 4.0.0-4.0.1; 3.4.0-3.7.1), Gateway Fabric (2.0.0-2.4.0; 1.2.0-1.6.2), Instance Manager (2.15.1-2.21.0) | R36 P2, R35 P1, R32 P4; 1.29.5, 1.28.2; None; None; None | |
| K000157960: BIG-IP CIS (CVE-2026-22549) | 4.9 / 6.9 | BIG-IP Container Ingress Services (Kubernetes/OpenShift) | 2.0.0-2.20.1; 1.0.0-1.14.0 | 2.20.2; 2.20.1 (Helm 0.0.363) |
Impact Assessment: CVE-2026-1642 affects the broadest NGINX ecosystem, enabling network-adjacent DoS via crafted requests. WAF/ASM and CIS flaws target F5’s containerized services, risking outages in hybrid clouds.
Lower-risk issues focus on local or adjacent attacks.
Notes: Edge Client requires Component Update enabled post-upgrade. Config utility flaw allows local privilege escalation.
Security Exposures
| Article | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|
| K000156643: BIG-IP SMTP Config | BIG-IP (all modules) | 21.0.0; 17.5.0-17.5.1; etc. | 21.0.0.1; 17.5.1.4; 17.1.3.1 |
This exposure risks SMTP misconfigurations leading to relay abuse.
Prioritize medium CVEs in NGINX-heavy setups. Scan for affected versions (pre-EoTS only), apply fixes via iHealth or Helm for CIS. Test in staging to avoid disruptions. Monitor the Medium, Low, and Exposures pages. F5’s CVSS v4.0 shift aids precise risk scoring, see K000140363.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
