F5 BIG-IP HTTP/2 Memory Resource Exhaustion Vulnerability Leading to Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in F5 BIG-IP systems when an HTTP/2 profile is active on a virtual server. Undisclosed requests can cause excessive memory usage, degrading system performance. This issue affects the Traffic Management Microkernel (TMM) process, which may require a manual or forced restart to recover. The vulnerability allows remote, unauthenticated attackers to disrupt service, creating a denial-of-service condition on the affected BIG-IP system.

Impact

Exploitation of this vulnerability leads to increased memory usage, causing system performance to degrade. This degradation can result in a denial-of-service condition on the BIG-IP system, as the Traffic Management Microkernel (TMM) process may need to be manually restarted or forced to restart after being overwhelmed.

Remediation

To address this vulnerability, users can upgrade to a fixed version. For BIG-IP Next SPK, versions 2.0.0 to 2.0.3 are vulnerable, while version 2.3.2 is a fixed version. For BIG-IP Next CNF, versions 2.0.0 to 2.3.1 are vulnerable, with version 2.3.2 available as a fix. In the BIG-IP 21.x branch, versions 21.0.0 to 21.1.0 are vulnerable, while version 21.1.0.1 is a fixed version. For BIG-IP 17.x, versions 17.5.0 to 17.5.1 and 17.1.0 to 17.1.3 are vulnerable, with versions 17.5.1.8 and 17.1.3.4 available as fixes. Users can also create a custom eviction policy with Slow Flow Monitoring enabled and associate it with the affected virtual server as a mitigation strategy.

Added: Jul 15, 2026, 3:40 PM
Updated: Jul 15, 2026, 3:40 PM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
2.5
exploitability
7.6
remediation
0.0
relevance
9.7
threat
0.0
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.