Skip to content
Threat Feed
medium threat

CVE-2026-42920 - F5 BIG-IP TMM Termination Vulnerability

CVE-2026-42920 describes a vulnerability where undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate when a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server.

CVE-2026-42920 is a high-severity vulnerability affecting F5 BIG-IP systems. The vulnerability resides in the Traffic Management Microkernel (TMM). When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, specifically crafted, yet undisclosed, network traffic can trigger a termination of the TMM process. This can lead to a denial-of-service condition. Exploitation of this issue does not require authentication. The vulnerability details were published on May 13, 2026. Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Chain

Given the limited information, the attack chain is inferred based on the vulnerability description:

  1. Attacker identifies a target BIG-IP system with a UDP virtual server configured with a Client SSL profile and Allow Dynamic Record Sizing enabled.
  2. Attacker crafts specialized network packets, leveraging the undisclosed vulnerability.
  3. Attacker sends the malicious UDP packets to the vulnerable virtual server.
  4. The packets are processed by the TMM, triggering a vulnerability due to the dynamic record sizing logic.
  5. The TMM process encounters an unhandled exception or infinite loop, leading to its termination (CWE-835).
  6. The BIG-IP system experiences a denial-of-service condition as the TMM process is no longer operational.
  7. Availability of services handled by the affected virtual server are interrupted.

Impact

Successful exploitation of CVE-2026-42920 results in the termination of the Traffic Management Microkernel (TMM), leading to a denial-of-service condition. This impacts the availability of services provided by the affected BIG-IP virtual server. The vulnerability has a CVSS v3.1 score of 7.5, indicating a high level of severity. The number of potential victims is dependent on the number of BIG-IP systems with vulnerable configurations exposed to malicious traffic.

Recommendation

  • Consult F5’s advisory K000160901 for affected versions and mitigation steps.
  • Monitor network traffic for anomalies targeting UDP virtual servers with Client SSL profiles and dynamic record sizing enabled.
  • Deploy the Sigma rule Detect BIG-IP TMM Termination Traffic to detect potential exploitation attempts based on traffic patterns (see below).

Detection coverage 2

Detect BIG-IP TMM Termination Traffic

medium

Detects CVE-2026-42920 exploitation — Monitors UDP traffic patterns indicative of attempts to trigger TMM termination.

sigma tactics: denial_of_service techniques: T1499.004 sources: network_connection, windows

Detect BIG-IP TMM Crash - Event Log

high

Detects potential TMM crashes via event logs related to unexpected process termination

sigma tactics: denial_of_service techniques: T1499.004 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →