Which versions of F5 BIG-IP are affected by CVE-2026-42920?

F5 BIG-IP Traffic Management Microkernel (TMM) contains a denial-of-service vulnerability affecting UDP virtual servers with Client SSL and Dynamic Record Sizing enabled, allowing unauthenticated…. A patch is available.

F5 BIG-IP CVE-2026-42920

Q: What is the CVSS score of CVE-2026-42920?

CVE-2026-42920 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-30004 HIGH

Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)

2026-05-13 f5

GHSA-xgx2-84j2-cx9m

Denial Of Service

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

May 13, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

May 13, 2026 - 16:22 NVD

7.5 (HIGH) 8.7 (HIGH)

Analysis Generated

May 13, 2026 - 15:46 vuln.today

CVE Published

May 13, 2026 - 14:12 nvd

HIGH 7.5

DescriptionNVD

When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual servers configured with Client SSL profiles having Allow Dynamic Record Sizing enabled. Remote unauthenticated attackers can trigger complete service denial by sending crafted traffic, causing TMM process crashes. …

RemediationAI

Within 24 hours: Identify all F5 BIG-IP instances running affected versions with UDP virtual servers configured using Client SSL profiles with Allow Dynamic Record Sizing enabled. Within 7 days: Apply vendor-released patch per F5 advisory K000160901 to all affected BIG-IP systems, prioritizing production load balancers. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42920 vulnerability details – vuln.today

Back

F5 BIG-IP CVE-2026-42920

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

F5 BIG-IP CVE-2026-42920

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code