Skip to content
Threat Feed
low advisory

CVE-2026-59762: F5 BIG-IP HTTP/2 Profile Denial of Service Vulnerability

A denial-of-service vulnerability (CVE-2026-59762) exists in F5 BIG-IP systems when an HTTP/2 profile is configured on a virtual server, where undisclosed requests can lead to increased memory resource utilization, degrading system performance and potentially causing the TMM process to restart, allowing a remote, unauthenticated attacker to cause a denial-of-service condition affecting the data plane.

CVE-2026-59762 describes a high-severity denial-of-service (DoS) vulnerability affecting F5 BIG-IP systems. Specifically, when an HTTP/2 profile is configured on a virtual server, receipt of certain undisclosed requests can lead to a significant increase in memory resource utilization. This escalation in memory consumption primarily affects the TMM (Traffic Management Microkernel) process, which is central to BIG-IP's packet processing. The vulnerability can cause system performance degradation, ultimately leading to the TMM process restarting, either forcibly or manually. This issue enables a remote, unauthenticated attacker to disrupt the availability of affected BIG-IP systems by causing a DoS condition. The vulnerability impacts only the data plane, with no exposure to the control plane. This vulnerability is significant for organizations relying on BIG-IP for critical traffic management, as it poses a direct threat to service availability.

Attack Chain

  1. A remote, unauthenticated attacker identifies an F5 BIG-IP virtual server configured with an HTTP/2 profile.
  2. The attacker sends a series of undisclosed HTTP/2 requests to the vulnerable virtual server.
  3. The F5 BIG-IP system, specifically the TMM process, processes these malicious HTTP/2 requests.
  4. During processing, the TMM process experiences an increase in memory resource utilization beyond normal operational parameters.
  5. Continued receipt of these requests or sustained high memory usage leads to degradation of the overall system performance of the BIG-IP appliance.
  6. Eventually, the excessive memory consumption may force the TMM process to automatically restart or require a manual restart by administrators.
  7. The restart of the TMM process causes a temporary but significant service disruption, resulting in a denial-of-service condition affecting the data plane of the BIG-IP system.

Impact

Successful exploitation of CVE-2026-59762 leads to a significant degradation of F5 BIG-IP system performance, primarily due to excessive memory resource utilization by the TMM process. This can culminate in the TMM process restarting, which directly causes a denial-of-service condition. For organizations, this means that critical services relying on the BIG-IP system for traffic management, load balancing, or application delivery may become unavailable, leading to operational downtime, lost revenue, and potential reputational damage. The attack can be initiated by any remote, unauthenticated attacker, making it a severe threat to the availability of affected BIG-IP deployments.

Recommendation

  • Patch CVE-2026-59762 on all F5 BIG-IP systems immediately, especially those with HTTP/2 profiles configured on virtual servers, by upgrading to the fixed software versions provided by F5.
  • Monitor F5 BIG-IP systems for unexpected restarts of the TMM process.
  • Monitor F5 BIG-IP systems for unusual increases in memory resource utilization, particularly on virtual servers configured with HTTP/2 profiles.