F5 Quarterly Security Notification LiveStream - May 13 2026

Key Concepts

• QSN (Quarterly Security Notification): F5’s scheduled release of security vulnerability disclosures and patches.
• CVSS (Common Vulnerability Scoring System): A standard for assessing the severity of computer system security vulnerabilities.
• TMOS (Traffic Management Operating System): The core operating system for F5 BIG-IP hardware and virtual appliances.
• Control Plane vs. Data Plane: The control plane manages system configuration and management traffic, while the data plane handles the actual flow of application traffic.
• SPK/CNF/BNK: F5’s Kubernetes-native solutions (Service Proxy for Kubernetes, Cloud-Native Functions, and BIG-IP Next for Kubernetes).

---

1. Overview of May 2026 QSN

On May 13, 2026, F5’s Security Incident Response Team (SIRT) disclosed 51 security issues. The vulnerabilities are categorized by severity and product impact, requiring immediate attention from administrators to apply the recommended patches.

Severity Breakdown:

• Critical: 2 (Note: One is critical under CVSS v4.0 but high under v3.1; the other is critical only when in "Appliance Mode").
• High: 28
• Medium: 34
• Low/Security Exposures: 0

2. Product Impact and Distribution

The vulnerabilities affect a wide range of F5 and NGINX products:

• BIG-IP: 44 CVEs
• BIG-IQ: 9 CVEs
• NGINX: 6 (Open Source), 5 (Plus)
• SPK (Service Proxy for Kubernetes): 3
• CNF (Cloud-Native Functions): 4
• BNK (BIG-IP Next for Kubernetes): 3
• SSL Orchestrator: 1

Note: F5OS was explicitly confirmed as not being affected by any of the vulnerabilities disclosed in this specific QSN.

3. Remediation and Version Requirements

To mitigate these vulnerabilities, users are advised to upgrade to the following minimum versions:

• BIG-IP: 21.1.0, 21.0.0.2, 17.5.1.6, or 17.1.3.2.
• BIG-IQ: Most issues are fixed in 8.4.1, but five specific CVEs require version 8.4.2 (expected release within the next month).
• NGINX Open Source: Stable branch 1.30.1; Mainline branch 1.31.0.
• NGINX Plus: R37, R36P4, or R32P6.
• Kubernetes Solutions: BNK 2.2.0. For SPK and CNF users, F5 recommends migrating to the BNK branch, as codebases have been merged to simplify maintenance.
• SSL Orchestrator: 14.0, 13.1.3, 12.3.2, or 11.4.1.

4. Technical Breakdown

The vulnerabilities were categorized by their operational impact:

• Control Plane Issues: 32 (Affecting management and configuration).
• Data Plane Issues: 19 (Affecting traffic processing).

5. Key Perspectives and Strategic Direction

• Patch Management: F5 leadership, specifically CIO Kunal Anand, has emphasized a shift in how patch windows are handled. Users are encouraged to review the official blog regarding upcoming changes to patch management strategies.
• Consolidation: The move to merge SPK and CNF code into the BNK branch is a strategic effort to reduce complexity for customers managing containerized environments.

6. Synthesis and Takeaways

The May 2026 QSN highlights a significant volume of vulnerabilities (51 total), with a heavy concentration on the BIG-IP platform. While the number of "Critical" vulnerabilities is low, the high number of "High" severity issues (28) necessitates a prioritized patching schedule. Administrators should verify their current versions against the provided minimums and monitor for the upcoming BIG-IQ 8.4.2 release. The consolidation of Kubernetes-related products into the BNK branch is the most significant architectural change recommended for users of F5’s container-native solutions.