Primary

Context

F5 BIG-IP HTTP/2 Layer 7 Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in F5 BIG-IP systems with Layer 7 DoS Protection enabled on HTTP/2 virtual servers. Undisclosed traffic can lead to increased memory usage, causing the Traffic Management Microkernel (TMM) process to crash. This issue affects BIG-IP versions 17.5.0 to 17.5.1 and 17.1.0 to 17.1.3, as well as BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender in the 21.x branch.

Impact

Exploitation of this vulnerability disrupts traffic by causing the TMM process to terminate, leading to a denial-of-service condition on the BIG-IP system.

Remediation

Users can upgrade to BIG-IP versions 17.5.1.4 or 17.1.3.1 to address this vulnerability. For more information about managing BIG-IP product hotfixes, refer to the MyF5 article K13123.

Added: May 13, 2026, 6:03 PM

Updated: May 13, 2026, 6:03 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

0.0

relevance

8.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

0.0

relevance

8.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

F5 BIG-IP HTTP/2 Layer 7 Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

F5 BIG-IP Advanced WAF

F5 BIG-IP ASM

F5 BIG-IP DDoS Hybrid Defender

F5 BIG-IP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating