BIG-IP PEM IRules — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/big-ip-pem-irules/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 16:24:12 +0000BIG-IP PEM iRules Traffic Management Microkernel (TMM) Terminationhttps://feed.craftedsignal.io/briefs/2026-05-big-ip-pem-tmm-termination/Wed, 13 May 2026 16:24:12 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-big-ip-pem-tmm-termination/CVE-2026-41218 describes a vulnerability in F5 BIG-IP PEM iRules where undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate, leading to a denial-of-service condition.CVE-2026-41218 describes a vulnerability affecting F5 BIG-IP Policy Enforcement Manager (PEM) iRules. When specific iRules commands are configured on a virtual server (iRules using commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and the urlcatquery command), specially crafted, undisclosed traffic can trigger a termination of the Traffic Management Microkernel (TMM). The vulnerability leads to a denial-of-service condition. This issue does not affect software versions that have reached End of Technical Support (EoTS). The vulnerability was reported by F5 Networks.

Attack Chain

  1. An attacker identifies a vulnerable BIG-IP system with PEM iRules configured.
  2. The attacker crafts malicious network traffic.
  3. The malicious traffic is sent to the BIG-IP virtual server.
  4. The iRule processes the malicious traffic, specifically using vulnerable commands like CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, or urlcatquery.
  5. The processing of the crafted traffic causes a use-after-free condition in the TMM.
  6. The TMM process crashes due to the memory corruption.
  7. The BIG-IP system experiences a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-41218 results in the termination of the Traffic Management Microkernel (TMM), leading to a denial-of-service condition. This impacts the availability of services relying on the BIG-IP system. The severity is rated as High with a CVSS v3.1 score of 7.5.

Recommendation

  • Monitor network traffic for patterns exploiting the CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and urlcatquery commands in iRules as described in the vulnerability details for CVE-2026-41218.
  • Deploy the Sigma rule Detect BIG-IP PEM iRules TMM Termination Attempt to detect potential exploitation attempts by analyzing network traffic targeting the BIG-IP system.
  • Refer to F5 Networks advisory K000160875 for mitigation steps and affected versions.
]]>highadvisorycvedosf5big-ip