Primary

Context

F5 BIG-IP Next HTTP/2 Ingress Traffic Management Microkernel Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in F5 BIG-IP Next products (CNF, SPK, and Kubernetes) when HTTP/2 Ingress is configured. Undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate, disrupting service as the TMM process restarts. This issue allows a remote, unauthenticated attacker to cause a DoS on the BIG-IP system, affecting only the data plane.

Impact

Exploitation of this vulnerability disrupts traffic by causing the TMM process to terminate and restart, leading to a temporary denial-of-service condition on the BIG-IP system.

Remediation

F5 has released an engineering hotfix for this vulnerability, available through the MyF5 Downloads page. For more information about the hotfix policy, refer to the F5 critical issue hotfix policy article.

Added: Oct 15, 2025, 2:30 PM

Updated: Oct 15, 2025, 2:30 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

7.6

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

7.6

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

F5 BIG-IP Next HTTP/2 Ingress Traffic Management Microkernel Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

F5 BIG-IP Next SPK

F5 BIG-IP Next CNF

F5 BIG-IP Next for Kubernetes

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating