CVE-2025-41414 Overview
CVE-2025-41414 is a denial of service vulnerability affecting F5 BIG-IP products when both HTTP/2 client and server profiles are configured on a virtual server. Undisclosed HTTP/2 requests can cause the Traffic Management Microkernel (TMM) to terminate, disrupting traffic processing on the affected device. The flaw is tracked under CWE-476 (NULL Pointer Dereference) and can be triggered remotely without authentication or user interaction. F5 has published advisory K000140968 covering remediation. Software versions that have reached End of Technical Support (EoTS) were not evaluated.
Critical Impact
Remote unauthenticated attackers can crash the TMM process on BIG-IP virtual servers configured with HTTP/2 client and server profiles, resulting in service interruption for all traffic handled by the device.
Affected Products
- F5 BIG-IP modules including Local Traffic Manager (LTM), Access Policy Manager (APM), Advanced WAF/ASM, Application Acceleration Manager, and Analytics
- F5 BIG-IP network services including Advanced Firewall Manager (AFM), DDoS Hybrid Defender, Carrier-Grade NAT, DNS, Global Traffic Manager, Link Controller, and Policy Enforcement Manager
- F5 BIG-IP Next Cloud-Native Network Functions and BIG-IP Next Service Proxy for Kubernetes
Discovery Timeline
- 2025-05-07 - CVE-2025-41414 published to NVD
- 2025-10-21 - Last updated in NVD database
Technical Details for CVE-2025-41414
Vulnerability Analysis
The vulnerability resides in the HTTP/2 request handling path of the Traffic Management Microkernel (TMM), the core data-plane process that handles all client and server traffic on BIG-IP devices. When a virtual server is configured with both an HTTP/2 client profile and an HTTP/2 server profile, specially crafted but undisclosed HTTP/2 requests trigger a NULL pointer dereference inside TMM. The result is a process termination that drops in-flight connections and interrupts traffic forwarding until TMM restarts.
Because TMM is the central forwarding engine, an unexpected termination affects every virtual server hosted on the appliance, not only the one targeted. F5 documents the issue in advisory K000140968. The CWE classification CWE-476 confirms the root cause is dereferencing a pointer that was not validated against NULL before use.
Root Cause
The defect is a missing pointer validation check within the HTTP/2 dual-profile request processing logic. When a particular sequence of HTTP/2 frames is received, an internal pointer remains uninitialized or is freed before it is dereferenced. F5 has not publicly disclosed the specific frame type or field that triggers the condition.
Attack Vector
The vulnerability is exploitable over the network. An attacker only needs to reach a virtual server configured with HTTP/2 client and server profiles and send the triggering request. No authentication, no privileges, and no user interaction are required. Because TMM handles all data-plane traffic, the result is a denial of service condition for the entire BIG-IP instance.
No public proof-of-concept code or exploit examples have been released. See F5 advisory K000140968 for vendor-supplied technical detail.
Detection Methods for CVE-2025-41414
Indicators of Compromise
- Unexpected TMM core dumps or restarts logged in /var/log/ltm and /var/log/tmm on BIG-IP devices.
- Loss of traffic on virtual servers with both http2-client and http2-server profiles attached, correlated with inbound HTTP/2 requests.
- High-availability failover events triggered by TMM process termination on the active unit.
Detection Strategies
- Monitor BIG-IP system logs for tmm segmentation faults, Restarted tmm, and panic messages.
- Inspect HTTP/2 traffic for anomalous frame sequences targeting virtual servers with dual HTTP/2 profiles.
- Correlate TMM crashes with the source IPs of recent HTTP/2 connections to identify potential attackers.
Monitoring Recommendations
- Forward BIG-IP /var/log/ltm, /var/log/tmm, and SNMP traps to a centralized logging or SIEM platform for crash and restart alerting.
- Track TMM uptime and connection-rate metrics via iControl REST or SNMP to detect short-lived denial of service events.
- Alert on consecutive TMM restarts within short time windows, which indicates repeated exploitation attempts rather than transient faults.
How to Mitigate CVE-2025-41414
Immediate Actions Required
- Identify all BIG-IP virtual servers that have both HTTP/2 client and HTTP/2 server profiles applied, since only this configuration is exploitable.
- Apply the fixed software versions listed in F5 advisory K000140968 to all affected BIG-IP and BIG-IP Next deployments.
- Restrict network exposure of management and data-plane interfaces to trusted sources while patching is scheduled.
Patch Information
F5 has published remediated software versions in advisory K000140968. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to a supported, patched branch. Administrators should validate the running version with tmsh show sys version and apply the engineering hotfix or maintenance release that matches their branch.
Workarounds
- Remove the HTTP/2 server profile from affected virtual servers where end-to-end HTTP/2 is not required, leaving only the HTTP/2 client profile in place.
- Restrict inbound HTTP/2 traffic to known client networks using a firewall or BIG-IP AFM rule until patches are applied.
- Enable high-availability pairing and connection mirroring so that TMM restarts on one unit do not cause sustained outages.
# Identify virtual servers with both HTTP/2 client and server profiles
tmsh list ltm virtual one-line | grep -E 'http2(-server)?'
# Temporary workaround: detach the HTTP/2 server profile
tmsh modify ltm virtual <vs_name> profiles delete { http2-server }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
