The vulnerability is a use‑after‑free flaw triggered when specific BIG‑IP PEM iRules are configured on a virtual server, specifically those beginning with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, or using the urlcatquery command. When an attacker sends traffic that causes the Traffic Management Microkernel (TMM) to invoke these commands, memory is freed incorrectly and the TMM process terminates. The crash results in a denial‑of‑service condition that disables the affected virtual server and potentially any services routed through it.

Affected systems are F5 BIG‑IP appliances that have PEM iRules configured with the vulnerable commands. No specific version numbers are listed in the advisory, and software that has reached end of technical support was explicitly excluded from evaluation. There is no evidence that only certain versions are impacted, so any BIG‑IP running these iRules may be at risk.

The CVSS score of 8.7 indicates high severity for a denial‑of‑service vulnerability. EPSS is unavailable and the issue is not listed in the CISA KEV catalog, suggesting no known public exploits at this time. The likely attack vector is remote: an unauthenticated client can send traffic to the virtual server that contains the malicious iRule traffic, provoking the TMM crash without needing privileged access. Because the flaw results in service interruption rather than code execution or data exfiltration, the primary risk is operational downtime; however, repeated crashes could be leveraged in a coordinated denial‑of‑service attack.