Skip to main content

Big Ip Next For Kubernetes

5 CVEs product

Monthly

CVE-2026-42409 HIGH PATCH This Week

Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via undisclosed malformed HTTP/2 requests when virtual servers are configured with both an HTTP/2 profile and iRules using HTTP::redirect or HTTP::respond commands. Exploitation requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N) and results in complete service disruption. Vendor patch available via F5 K000159034. EPSS data not provided, but the specific configuration requirement limits exposure to organizations using HTTP/2 with custom iRule redirects or responses.

Denial Of Service Null Pointer Dereference Big Ip Next For Kubernetes Big Ip Big Ip Next Spk +1
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40618 HIGH PATCH This Week

Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are configured without hardware crypto acceleration, allowing remote unauthenticated attackers to cause denial of service via undisclosed traffic patterns. CVSS 7.5 (High) with network attack vector and no prerequisites. EPSS data not provided, no CISA KEV listing identified, indicating theoretical rather than observed exploitation. Vendor patch available per F5 advisory K000158082.

Information Disclosure Intel Big Ip Next For Kubernetes Big Ip Big Ip Next Spk +1
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41956 HIGH PATCH This Week

Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) by sending specially crafted UDP requests to virtual servers with classification profiles enabled. The vulnerability affects BIG-IP, BIG-IP Next CNF, and BIG-IP Next for Kubernetes platforms. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available per F5 advisory K000158038.

Buffer Overflow Stack Overflow Big Ip Next For Kubernetes Big Ip Big Ip Next Cnf
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40629 HIGH PATCH This Week

Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust connection processing via undisclosed traffic patterns, forcing affected servers to reject new client connections. The vulnerability affects multiple BIG-IP product lines including classic BIG-IP and all BIG-IP Next variants (SPK, CNF, Kubernetes). F5 has released vendor patches (K000158978), and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N), this represents a straightforward network-based DoS attack requiring no authentication or special complexity.

Denial Of Service Big Ip Next For Kubernetes Big Ip Big Ip Next Spk Big Ip Next Cnf
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-54500 MEDIUM PATCH This Month

An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Red Hat Big Ip Advanced Web Application Firewall Big Ip Application Security Manager Big Ip Container Ingress Services +24
NVD
CVSS 4.0
6.9
EPSS
0.1%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via undisclosed malformed HTTP/2 requests when virtual servers are configured with both an HTTP/2 profile and iRules using HTTP::redirect or HTTP::respond commands. Exploitation requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N) and results in complete service disruption. Vendor patch available via F5 K000159034. EPSS data not provided, but the specific configuration requirement limits exposure to organizations using HTTP/2 with custom iRule redirects or responses.

Denial Of Service Null Pointer Dereference Big Ip Next For Kubernetes +3
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are configured without hardware crypto acceleration, allowing remote unauthenticated attackers to cause denial of service via undisclosed traffic patterns. CVSS 7.5 (High) with network attack vector and no prerequisites. EPSS data not provided, no CISA KEV listing identified, indicating theoretical rather than observed exploitation. Vendor patch available per F5 advisory K000158082.

Information Disclosure Intel Big Ip Next For Kubernetes +3
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) by sending specially crafted UDP requests to virtual servers with classification profiles enabled. The vulnerability affects BIG-IP, BIG-IP Next CNF, and BIG-IP Next for Kubernetes platforms. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available per F5 advisory K000158038.

Buffer Overflow Stack Overflow Big Ip Next For Kubernetes +2
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust connection processing via undisclosed traffic patterns, forcing affected servers to reject new client connections. The vulnerability affects multiple BIG-IP product lines including classic BIG-IP and all BIG-IP Next variants (SPK, CNF, Kubernetes). F5 has released vendor patches (K000158978), and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N), this represents a straightforward network-based DoS attack requiring no authentication or special complexity.

Denial Of Service Big Ip Next For Kubernetes Big Ip +2
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Red Hat Big Ip Advanced Web Application Firewall +26
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy