Description
When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.
 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when a Client SSL profile on a UDP virtual server has Allow Dynamic Record Sizing enabled. Undisclosed traffic that triggers this configuration can cause the Traffic Management Microkernel to terminate, resulting in a denial of service to the affected system. The weakness is classified as CWE-835, indicating an infinite loop or unbounded processing condition.

Affected Systems

The affected vendor is F5 and the product is BIG‑IP. No specific software version range is provided in the advisory, so all currently supported BIG‑IP releases that use UDP virtual servers with the Allow Dynamic Record Sizing setting are potentially impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 8.7, placing it in the High severity range. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is network-based: an attacker can send crafted traffic to the vulnerable UDP virtual server to trigger the crash. Once the TMM terminates, the BIG‑IP appliance may become unavailable until a manual restart or patch is applied. The high CVSS score coupled with a plausible exploitation scenario indicates substantial risk for organizations that have exposed such virtual servers to the Internet or untrusted networks.

Generated by OpenCVE AI on May 13, 2026 at 17:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest F5 BIG‑IP software update that addresses the DTLS handling issue.
  • If a patch cannot be applied immediately, disable Allow Dynamic Record Sizing on UDP virtual servers or reconfigure the affected services to use TCP.
  • Verify that no UDP virtual server includes the Allow Dynamic Record Sizing setting and monitor system logs for unexpected TMM crashes.

Generated by OpenCVE AI on May 13, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP DTLS Vulnerability
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:14:10.743Z

Reserved: 2026-04-30T23:02:47.685Z

Link: CVE-2026-42920

cve-icon Vulnrichment

Updated: 2026-05-13T16:14:06.305Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:49.390

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T19:00:14Z

Weaknesses