High

F5’s February 2026 Quarterly Security Notification, released on February 4, discloses multiple medium- and low-severity vulnerabilities along with a security exposure affecting BIG-IP, NGINX, and container-based services. The majority of these issues are tied to denial-of-service (DoS) conditions and configuration weaknesses, which could disrupt high-traffic environments such as web application firewalls (WAF), Kubernetes ingress controllers, and hybrid cloud deployments. Although no active exploitation has been observed, F5 strongly recommends prompt patching, especially for internet-facing systems, to prevent potential DoS chains or unauthorized access scenarios.

The most impactful findings are three medium-severity CVEs with CVSS v4.0 scores reaching high, representing moderate but meaningful DoS risks. CVE-2026-1642 (NGINX) has the broadest impact, affecting NGINX Plus, open-source NGINX, Ingress Controller, Gateway Fabric, and Instance Manager across numerous versions, enabling network-adjacent attackers to overwhelm services using crafted requests. The other two medium issues CVE-2026-22548 (BIG-IP Advanced WAF/ASM) and CVE-2026-22549 (BIG-IP Container Ingress Services) primarily threaten containerized and WAF deployments, raising the risk of service outages in hybrid and cloud-native environments if left unpatched.

Lower-severity issues focus on local or adjacent attack scenarios. CVE-2026-20730 affects BIG-IP Edge Client/APM, carrying minimal impact but requiring Component Update to be enabled post-upgrade. CVE-2026-20732, targeting the BIG-IP Config Utility, allows local privilege escalation, reinforcing the need for strong access controls even though remote exploitation is unlikely. In addition, a security exposure related to BIG-IP SMTP configuration could lead to mail relay abuse if misconfigured, highlighting operational risk rather than a traditional vulnerability.

From a defensive standpoint, organizations should prioritize patching NGINX-related CVEs, particularly in NGINX-heavy or Kubernetes-based environments, and ensure all deployments are within supported (pre-EoTS) versions. F5 recommends validating affected versions using iHealth, applying fixes via Helm for CIS, and testing updates in staging environments to minimize disruption. Continuous monitoring of F5’s Medium, Low, and Exposure advisories is advised, and the adoption of CVSS v4.0 scoring now provided alongside v3.1 enables more precise risk assessment and prioritization across diverse deployment models.