BIG-IP PEM iRules Traffic Management Microkernel (TMM) Termination

CVE-2026-41218 describes a vulnerability affecting F5 BIG-IP Policy Enforcement Manager (PEM) iRules. When specific iRules commands are configured on a virtual server (iRules using commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and the urlcatquery command), specially crafted, undisclosed traffic can trigger a termination of the Traffic Management Microkernel (TMM). The vulnerability leads to a denial-of-service condition. This issue does not affect software versions that have reached End of Technical Support (EoTS). The vulnerability was reported by F5 Networks.

Attack Chain

1. An attacker identifies a vulnerable BIG-IP system with PEM iRules configured.
2. The attacker crafts malicious network traffic.
3. The malicious traffic is sent to the BIG-IP virtual server.
4. The iRule processes the malicious traffic, specifically using vulnerable commands like CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, or urlcatquery.
5. The processing of the crafted traffic causes a use-after-free condition in the TMM.
6. The TMM process crashes due to the memory corruption.
7. The BIG-IP system experiences a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-41218 results in the termination of the Traffic Management Microkernel (TMM), leading to a denial-of-service condition. This impacts the availability of services relying on the BIG-IP system. The severity is rated as High with a CVSS v3.1 score of 7.5.

Recommendation

• Monitor network traffic for patterns exploiting the CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and urlcatquery commands in iRules as described in the vulnerability details for CVE-2026-41218.
• Deploy the Sigma rule Detect BIG-IP PEM iRules TMM Termination Attempt to detect potential exploitation attempts by analyzing network traffic targeting the BIG-IP system.
• Refer to F5 Networks advisory K000160875 for mitigation steps and affected versions.