CVE-2022-26890: 
F5 BIG-IP Virtual Edition vulnerability analysis and mitigation

A vulnerability identified as CVE-2022-26890 affects F5 BIG-IP Advanced WAF, ASM, and APM systems across multiple versions (16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5). The vulnerability was disclosed on May 5, 2022, and occurs when ASM or Advanced WAF and APM are configured on a virtual server with Session Awareness enabled and the "Use APM Username and Session ID" option is activated (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Under CVSS v2.0, it received a Base Score of 5.0 (MEDIUM) with vector (AV:N/AC:L/Au:N/C:N/I:N/A:P). The vulnerability is categorized under CWE-670 (Always-Incorrect Control Flow Implementation) (NVD).

When exploited, this vulnerability can cause the bd process to terminate in affected F5 BIG-IP systems, potentially leading to service disruption (NVD).

F5 Networks has released patched versions to address this vulnerability: version 16.1.2.1 for 16.1.x series, version 15.1.5 for 15.1.x series, version 14.1.4.6 for 14.1.x series, and version 13.1.5 for 13.1.x series. Users are advised to upgrade to these patched versions (NVD).