{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2507", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2026-02-13T22:57:30.264Z", "datePublished": "2026-02-18T15:55:28.508Z", "dateUpdated": "2026-02-18T17:52:18.117Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["BIG-IP AFM", "BIG-IP DDoS"], "product": "BIG-IP", "vendor": "F5", "versions": [{"lessThan": "*", "status": "unaffected", "version": "21.0.0", "versionType": "custom"}, {"changes": [{"at": "17.5.1.4.0.17.20-ENG", "status": "unaffected"}], "lessThan": "*", "status": "affected", "version": "17.5.1.4", "versionType": "custom"}, {"lessThan": "*", "status": "unaffected", "version": "17.1.0", "versionType": "custom"}, {"lessThan": "*", "status": "unaffected", "version": "16.1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "F5"}], "datePublic": "2026-02-18T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "value": "When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2026-02-18T15:55:28.508Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K000160003"}], "source": {"discovery": "INTERNAL"}, "title": "BIG-IP TMM Vulnerability", "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T17:48:23.597249Z", "id": "CVE-2026-2507", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T17:52:18.117Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2507", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T17:48:23.597249Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T17:52:12.976Z"}}], "cna": {"title": "BIG-IP TMM Vulnerability", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "F5"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "F5", "modules": ["BIG-IP AFM", "BIG-IP DDoS"], "product": "BIG-IP", "versions": [{"status": "unaffected", "version": "21.0.0", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "17.5.1.4.0.17.20-ENG", "status": "unaffected"}], "version": "17.5.1.4", "lessThan": "*", "versionType": "custom"}, {"status": "unaffected", "version": "17.1.0", "lessThan": "*", "versionType": "custom"}, {"status": "unaffected", "version": "16.1.0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-18T15:00:00.000Z", "references": [{"url": "https://my.f5.com/manage/s/article/K000160003", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "F5 SIRTBot v1.0"}, "descriptions": [{"lang": "en", "value": "When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "value": "When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2026-02-18T15:55:28.508Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2507", "state": "PUBLISHED", "dateUpdated": "2026-02-18T17:52:18.117Z", "dateReserved": "2026-02-13T22:57:30.264Z", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "datePublished": "2026-02-18T15:55:28.508Z", "assignerShortName": "f5"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "Cuando se aprovisiona BIG-IP AFM o BIG-IP DDoS, el tr\u00e1fico no revelado puede provocar la terminaci\u00f3n de TMM. Nota: Las versiones de software que han alcanzado el Fin de Soporte T\u00e9cnico (EoTS) no se eval\u00faan."}], "id": "CVE-2026-2507", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "f5sirt@f5.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f5sirt@f5.com", "type": "Secondary"}]}, "published": "2026-02-18T17:21:36.540", "references": [{"source": "f5sirt@f5.com", "url": "https://my.f5.com/manage/s/article/K000160003"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "f5sirt@f5.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[21.0.0,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[17.1.0,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[16.1.0,*]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[17.5.1.4,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[17.5.1.4.0.17.20-ENG,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "BIG-IP", "source": "cna", "vendor": "F5"}, "product": "big-ip", "vendor": "f5"}], "analysis": {"en": {"generated_at": "2026-04-17T18:38:29.310867+00:00", "value": {"mitigation_remediation": ["Upgrade the BIG\u2011IP firmware to the latest supported version that contains the fix for the TMM NULL pointer dereference.", "If an immediate upgrade is not feasible, consider temporarily disabling the AFM or DDoS service to prevent the crash from occurring.", "Implement network traffic filtering or isolation on inbound connections to limit the types of traffic that reach the BIG\u2011IP device until remediation is applied."], "summary": {"action": "Update Firmware", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects F5 BIG\u2011IP appliances that have AFM or DDoS provisioned. Specific vulnerable product variants and versions are not enumerated in the public advisory; however, the advisory notes that end\u2011of\u2011support releases are not evaluated, implying that only actively supported releases are at risk.", "description_and_impact": "The vulnerability resides in the Traffic Management Microkernel (TMM) of F5 BIG\u2011IP when Advanced Firewall Manager (AFM) or Distributed Denial of Service (DDoS) services are provisioned. Undisclosed or malformed traffic can trigger a NULL pointer dereference in TMM, causing the kernel to terminate and the BIG\u2011IP system to become unavailable. This flaw results in a denial of service to all users and network services dependent on the affected device. The CVSS score of 8.7 indicates a high severity impact with full loss of service availability in the affected environment.", "risk_and_exploitability": "The EPSS score is reported to be below 1\u202f%, suggesting that the exploitation likelihood is low, and the flaw is not listed in the CISA KEV catalog. Nonetheless, the CVSS score indicates that a successful exploitation would fully disrupt availability. An attacker would need to send specially crafted traffic towards the BIG\u2011IP device over the network, which could be performed remotely where the device is exposed. The attack impacts all services running on the device until it is rebooted or recovered."}}}}, "created": "2026-02-19T10:11:40.924330+00:00", "updated": "2026-04-17T18:45:25.550324+00:00", "vendors": ["f5", "f5$PRODUCT$big-ip"]}