CVE-2024-41164 Overview
CVE-2024-41164 is a denial of service vulnerability in F5 BIG-IP products where the Traffic Management Microkernel (TMM) terminates when processing undisclosed traffic on a Virtual Server configured with a TCP profile that has Multipath TCP (MPTCP) enabled. The flaw is classified under CWE-476 (NULL Pointer Dereference) and affects the data plane of BIG-IP appliances. Successful exploitation causes the TMM process to terminate, disrupting traffic processing for all services routed through the affected device. F5 published this issue in Security Advisory K000138477.
Critical Impact
An unauthenticated remote attacker can cause TMM to terminate, leading to denial of service on BIG-IP devices with MPTCP-enabled Virtual Servers.
Affected Products
- F5 BIG-IP Local Traffic Manager, Access Policy Manager, and Advanced Firewall Manager (including version 17.1.0)
- F5 BIG-IP Advanced WAF, Application Security Manager, SSL Orchestrator, and Policy Enforcement Manager
- F5 BIG-IP Next Cloud-Native Network Functions and Next Service Proxy for Kubernetes
Discovery Timeline
- 2024-08-14 - CVE-2024-41164 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-41164
Vulnerability Analysis
The vulnerability resides in the TMM component of F5 BIG-IP, which handles all data plane traffic. When a Virtual Server is configured with a TCP profile that has Multipath TCP (MPTCP) enabled, specific undisclosed traffic patterns trigger a NULL pointer dereference in TMM. The dereference causes TMM to terminate, halting traffic processing across the device. F5 has not disclosed the exact packet structure or sequence that produces the condition. The advisory notes that conditions outside the attacker's control also influence whether the termination occurs, indicating the exploit path depends on internal state.
Root Cause
The root cause is a NULL pointer dereference [CWE-476] in the MPTCP code path within TMM. The component fails to validate a pointer before dereferencing it during MPTCP session handling. F5 has not publicly released the source of the dereferenced pointer.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted TCP traffic to a Virtual Server bound to a TCP profile with MPTCP enabled. Virtual Servers without MPTCP enabled are not affected. F5 has not published a proof-of-concept, and no public exploit is currently available.
The vulnerability mechanism centers on MPTCP option processing within the TMM packet pipeline. Refer to F5 Security Advisory K000138477 for vendor-confirmed details on affected versions and conditions.
Detection Methods for CVE-2024-41164
Indicators of Compromise
- Unexpected TMM core dumps or tmm process restarts logged in /var/log/ltm
- Sudden loss of traffic forwarding on Virtual Servers configured with MPTCP-enabled TCP profiles
- High Availability failover events triggered by TMM termination on the active unit
Detection Strategies
- Audit BIG-IP configurations for TCP profiles with the mptcp option enabled and identify Virtual Servers using them
- Monitor tmm process health via SNMP, iControl REST, or qkview output for unscheduled restarts
- Correlate ingress packet captures with TMM termination timestamps to identify malformed MPTCP option sequences
Monitoring Recommendations
- Forward BIG-IP system logs and TMM crash data to a centralized SIEM or data lake for correlation across the fleet
- Alert on repeated TMM restarts within short time windows, which indicate possible exploitation attempts
- Track inbound TCP connections containing MPTCP options against Virtual Servers known to have MPTCP enabled
How to Mitigate CVE-2024-41164
Immediate Actions Required
- Identify all BIG-IP Virtual Servers using TCP profiles with MPTCP enabled and inventory their exposure
- Apply the fixed software versions listed in F5 Security Advisory K000138477
- Restrict network access to affected Virtual Servers until patches are applied
Patch Information
F5 has released fixed software versions documented in Security Advisory K000138477. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to a supported branch. Administrators should consult the advisory for the exact fixed release matching their installed branch.
Workarounds
- Disable MPTCP in the TCP profile assigned to affected Virtual Servers by setting the mptcp option to disabled
- Replace the affected TCP profile with the default tcp profile, which does not enable MPTCP
- Apply access control lists or upstream firewall rules to limit which sources can reach MPTCP-enabled Virtual Servers
# Example: disable MPTCP on a custom TCP profile via tmsh
tmsh modify ltm profile tcp custom_tcp_profile mptcp disabled
tmsh save sys config
# Verify configuration
tmsh list ltm profile tcp custom_tcp_profile mptcp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

