HTTP/2 Profile Vulnerability in F5 Networks' Traffic Management Microkernel
CVE-2026-42409

8.7HIGH

Key Information:

Vendor: F5
Status: Big-ip; Big-ip Next Spk; Big-ip Next Cnf; Big-ip Next For Kubernetes
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42409?

A vulnerability exists in F5 Networks' Traffic Management Microkernel (TMM) when an HTTP/2 profile interacts with specific iRules, such as those utilizing the HTTP::redirect or HTTP::respond commands. This configuration may enable an attacker to send crafted requests that lead to unexpected terminations of the TMM process, potentially disrupting service for users. Notably, products that have reached End of Technical Support (EoTS) are not included in the evaluation of this vulnerability.

Affected Version(s)

BIG-IP 21.0.0 < 21.0.0.1

BIG-IP 17.5.0 < 17.5.1.4

BIG-IP 17.1.0 < 17.1.3.1

References

https://my.f5.com/manage/s/article/K000159034

vendor-advisorypatch

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

CVE-2026-42409 Data

JSON