Description
When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When an HTTP/2 profile and an iRule that uses the HTTP::redirect or HTTP::respond command are configured together on a virtual server, a specially crafted request can cause the Traffic Management Microkernel (TMM) process to crash, resulting in a denial of service. The weakness is an instance of a null pointer dereference (CWE‑476). The vulnerability may only be triggered with undisclosed requests; the official description does not detail the request format or required authentication level.

Affected Systems

The vulnerable products are F5 BIG‑IP, F5 BIG‑IP Next CNF, F5 BIG‑IP Next SPK, and F5 BIG‑IP Next for Kubernetes, all versions that are still under support. No specific affected version numbers are disclosed; software that has reached End of Technical Support was not evaluated.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity risk. EPSS data is unavailable so the probability of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog, implying that no widespread exploitation is currently known. The likely attack vector is a network attempt against a virtual server configured with HTTP/2 and the mentioned iRules, requiring no special privileges, and could be carried out by any party that can send HTTP/2 traffic to the target.

Generated by OpenCVE AI on May 13, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or software update for the affected F5 BIG‑IP products that resolves the TMM crash issue.
  • Disable HTTP/2 or remove any HTTP::redirect or HTTP::respond iRules from virtual servers until a patch is available.
  • If disabling the iRule is not immediately possible, reconfigure the redirect/respond logic using alternative methods that do not rely on the vulnerable commands.

Generated by OpenCVE AI on May 13, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
F5 big-ip Next Cnf
F5 big-ip Next For Kubernetes
F5 big-ip Next Spk
Vendors & Products F5
F5 big-ip
F5 big-ip Next Cnf
F5 big-ip Next For Kubernetes
F5 big-ip Next Spk

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP HTTP/2 vulnerability
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip Big-ip Next Cnf Big-ip Next For Kubernetes Big-ip Next Spk
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:12:48.171Z

Reserved: 2026-04-30T23:04:10.873Z

Link: CVE-2026-42409

cve-icon Vulnrichment

Updated: 2026-05-13T16:12:43.652Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:47.770

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:25Z

Weaknesses