Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (f5) · only source for this CVE.
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles on virtual servers. Remote unauthenticated attackers can crash TMM using undisclosed malicious traffic patterns, causing complete service disruption. CVSS 7.5 High severity with network vector and low complexity. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. Vendor patch available per F5 K000160945.
Technical ContextAI
BIG-IP DNS (formerly GTM) is F5's global server load balancing and DNS resolution platform. The vulnerability affects the Traffic Management Microkernel (TMM), the core packet processing engine handling all BIG-IP traffic. DNS caching functionality, when enabled via a DNS profile attached to a virtual server, introduces memory corruption conditions (CWE-824: Access of Uninitialized Pointer). The DNS cache maintains response records to optimize query performance, but malformed or specially crafted DNS packets trigger uninitialized pointer access, causing TMM process termination. TMM restart leads to traffic interruption across all virtual servers on the affected instance. The CPE identifier applies broadly to F5 BIG-IP product family; specific affected versions are restricted to those within active support windows per F5's EoTS policy.
RemediationAI
Apply vendor-supplied patches per F5 Security Advisory K000160945 available at https://my.f5.com/manage/s/article/K000160945. F5 typically delivers fixes via hotfix engineering builds or scheduled maintenance releases; verify the specific patched version for your active BIG-IP release train through the K-article or F5 support portal. If immediate patching is not feasible, implement these compensating controls: (1) Disable DNS cache in affected DNS profiles if performance requirements allow - eliminates attack surface but increases backend DNS query load and response latency; (2) Restrict virtual server access via ACLs or firewall rules to trusted source networks only - reduces exposure but limits legitimate external DNS resolution; (3) Enable BIG-IP High Availability (HA) active-standby or active-active clustering to ensure automatic failover during TMM crashes - minimizes downtime to failover duration (5-30 seconds) but does not prevent exploitation; (4) Implement rate-limiting on DNS virtual servers to throttle potential attack traffic - may reduce attack effectiveness but could also impact legitimate high-volume queries. Monitor TMM process restarts via /var/log/ltm logs and alert on unexpected crashes. No workaround fully mitigates the vulnerability; patching remains the definitive solution.
Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges t
Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor e
Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via
Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote a
F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when process
Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Pro
Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are c
Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM)
Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual server
Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust conn
Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Tra
Remote denial of service in F5 BIG-IP Access Policy Manager (APM) allows unauthenticated attackers to crash the apmd pro
Same weakness CWE-824 – Access of Uninitialized Pointer
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29967
GHSA-9w3c-r5r8-2fg7