{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/big-ip-pem-irules/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41218"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP PEM iRules"],"_cs_severities":["high"],"_cs_tags":["cve","dos","f5","big-ip"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-41218 describes a vulnerability affecting F5 BIG-IP Policy Enforcement Manager (PEM) iRules. When specific iRules commands are configured on a virtual server (iRules using commands starting with \u003ccode\u003eCLASSIFICATION::\u003c/code\u003e, \u003ccode\u003eCLASSIFY::\u003c/code\u003e, \u003ccode\u003ePEM::\u003c/code\u003e, \u003ccode\u003ePSC::\u003c/code\u003e, and the \u003ccode\u003eurlcatquery\u003c/code\u003e command), specially crafted, undisclosed traffic can trigger a termination of the Traffic Management Microkernel (TMM). The vulnerability leads to a denial-of-service condition. This issue does not affect software versions that have reached End of Technical Support (EoTS). The vulnerability was reported by F5 Networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable BIG-IP system with PEM iRules configured.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious network traffic.\u003c/li\u003e\n\u003cli\u003eThe malicious traffic is sent to the BIG-IP virtual server.\u003c/li\u003e\n\u003cli\u003eThe iRule processes the malicious traffic, specifically using vulnerable commands like \u003ccode\u003eCLASSIFICATION::\u003c/code\u003e, \u003ccode\u003eCLASSIFY::\u003c/code\u003e, \u003ccode\u003ePEM::\u003c/code\u003e, \u003ccode\u003ePSC::\u003c/code\u003e, or \u003ccode\u003eurlcatquery\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe processing of the crafted traffic causes a use-after-free condition in the TMM.\u003c/li\u003e\n\u003cli\u003eThe TMM process crashes due to the memory corruption.\u003c/li\u003e\n\u003cli\u003eThe BIG-IP system experiences a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41218 results in the termination of the Traffic Management Microkernel (TMM), leading to a denial-of-service condition. This impacts the availability of services relying on the BIG-IP system. The severity is rated as High with a CVSS v3.1 score of 7.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for patterns exploiting the \u003ccode\u003eCLASSIFICATION::\u003c/code\u003e, \u003ccode\u003eCLASSIFY::\u003c/code\u003e, \u003ccode\u003ePEM::\u003c/code\u003e, \u003ccode\u003ePSC::\u003c/code\u003e, and \u003ccode\u003eurlcatquery\u003c/code\u003e commands in iRules as described in the vulnerability details for CVE-2026-41218.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect BIG-IP PEM iRules TMM Termination Attempt\u003c/code\u003e to detect potential exploitation attempts by analyzing network traffic targeting the BIG-IP system.\u003c/li\u003e\n\u003cli\u003eRefer to F5 Networks advisory K000160875 for mitigation steps and affected versions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:24:12Z","date_published":"2026-05-13T16:24:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-big-ip-pem-tmm-termination/","summary":"CVE-2026-41218 describes a vulnerability in F5 BIG-IP PEM iRules where undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate, leading to a denial-of-service condition.","title":"BIG-IP PEM iRules Traffic Management Microkernel (TMM) Termination","url":"https://feed.craftedsignal.io/briefs/2026-05-big-ip-pem-tmm-termination/"}],"language":"en","title":"CraftedSignal Threat Feed — BIG-IP PEM IRules","version":"https://jsonfeed.org/version/1.1"}