F5 Fixes Critical Vulnerabilities On February 4, F5 published its February 2026 Quarterly Security Notification, which included a security exposure impacting BIG-IP, NGINX, and container services in addition to a number of medium and low-severity CVEs This article explores vulnerabilities february f5. . Denial-of-service (DoS) threats and configuration flaws are the main causes of these problems, which have the potential to interfere with high-traffic environments such as web application firewalls (WAF) and Kubernetes ingress.

Even though there are no known active exploits, internet-facing deployments should patch as soon as possible to prevent DoS chains and unwanted access. For first-party issues, F5 offers CVSS v3.1 and v4.0 scores with a focus on attack vector, privileges, and impact. DevCentral offers a live video briefing. F5's knowledge base is linked to the details.

With CVSS scores of up to 8.2 (v4.0), these three vulnerabilities represent moderate DoS threats. Remotely, attackers could overload services.

Fixes for Article (CVE) CVSS v3.1 / v4.0 Affected Products Affected Versions K000158072: NGINX (CVE-2026-1642) 5.9 / 8.2 NGINX Plus (R32-R36 P1), Open Source (1.3.0-1.29.4), Ingress Controller (5.3.0-5.3.2; 4.0.0-4.0.1; 3.4.0-3.7.1), Gateway Fabric (2.0.0-2.4.0; 1.2.0-1.6.2), Instance Manager (2.15.1-2.21.0) R36 P2, R35 P1, R32 P4; 1.29.5, 1.28.2; None; None; None; None; None; None; None; None; None; None; None; None K000157960: BIG-IP CIS (CVE-2026-22549) 4.9 / 6.9 BIG-IP Container Ingress Services (OpenShift/Kubernetes) 2.0.0-2.20.1; 1.0.0-1.14.0 2.20.2; 2.20.1 (Helm 0.0.363) Impact Assessment: By enabling network-adjacent DoS through carefully constructed requests, CVE-2026-1642 impacts the largest NGINX ecosystem. F5's containerized services are the focus of WAF/ASM and CIS vulnerabilities, which put hybrid clouds at risk of outages. Attacks that are local or nearby are the focus of lower-risk problems.

Fixes for Article (CVE) CVSS v3.1 / v4.0 Affected Products Affected Versions K000158931: BIG-IP Edge Client (CVE-2026-20730) 3.3 / 2.0 BIG-IP APM (21.0.0; 17.5.0-17.5.1; etc. ); APM Clients 17.1.3.13; 7.2.6.2 17.1.3.13, 7.2.6.2 K000156644: BIG-IP Config Utility (CVE-2026-20732) 3.1 / 2.3 BIG-IP (all modules) 17.5.1.4; 17.1.3.1 17.5.1.4 17.1.3.1 Remarks: Edge The client needs the component. After the upgrade, the update is enabled.

Local privilege escalation is made possible by a configuration utility flaw. Exposures to Security Products Affected by the Article Affected Versions Repairs BIG-IP SMTP Configuration BIG-IP (all modules) was introduced in K000156643. For example, 21.0.0; 17.5.0–17.5.1; 21.0.0.1; 17.5.1.4; 17.1.3.1 This vulnerability raises the possibility of relay abuse due to SMTP misconfigurations. In setups with a lot of NGINX, give medium CVEs priority.

Check for impacted versions (pre-EoTS only), then use Helm for CIS or iHealth to apply fixes. To prevent interruptions, test in staging.

Keep an eye on the Exposures, Medium, and Low pages. See K000140363, LinkedIn, and X for daily cybersecurity updates. F5's CVSS v4.0 shift helps with accurate risk scoring.

To have your stories featured, get in touch with us.