CVE-2022-26890

HIGH

F5 BIG-IP <16.1.2.1, <15.1.5, <14.1.4.6, <13.1.5 - DoS

Title source: llm

Description

On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

References (1)

[Vendor Advisory] https://support.f5.com/csp/article/K03442392

Scores

CVSS v3 7.5

EPSS 0.0089

EPSS Percentile 75.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-670

Status published

Products (50)

f5/big-ip_access_policy_manager 13.1.0

f5/big-ip_access_policy_manager 13.1.1

f5/big-ip_access_policy_manager 13.1.3

f5/big-ip_access_policy_manager 13.1.4

f5/big-ip_access_policy_manager 13.1.5

f5/big-ip_access_policy_manager 14.1.0

f5/big-ip_access_policy_manager 14.1.2

f5/big-ip_access_policy_manager 14.1.3

f5/big-ip_access_policy_manager 14.1.4

f5/big-ip_access_policy_manager 15.1.0

... and 40 more

Published May 05, 2022

Tracked Since Feb 18, 2026