CVE-2026-39458 Overview
CVE-2026-39458 is a denial-of-service vulnerability affecting F5 BIG-IP systems configured with a DNS profile that has DNS cache enabled on a virtual server. Undisclosed network traffic can cause the Traffic Management Microkernel (TMM) to terminate, disrupting traffic processing on the affected device. The vulnerability is tracked under CWE-824: Access of Uninitialized Pointer. F5 has published an advisory in F5 Knowledge Base Article K000160945. Software versions that have reached End of Technical Support (EoTS) were not evaluated.
Critical Impact
Remote, unauthenticated attackers can terminate the TMM process on affected BIG-IP devices, causing service disruption to all traffic flows handled by the appliance.
Affected Products
- F5 BIG-IP systems with a DNS profile configured on a virtual server
- F5 BIG-IP deployments with DNS cache enabled within the DNS profile
- Supported (non-EoTS) BIG-IP software versions as identified in F5 advisory K000160945
Discovery Timeline
- 2026-05-13 - CVE-2026-39458 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-39458
Vulnerability Analysis
The vulnerability resides in the Traffic Management Microkernel (TMM), the core data-plane process in F5 BIG-IP responsible for handling all client and server traffic. When a virtual server is configured with a DNS profile that enables DNS cache, specific undisclosed traffic patterns trigger a fault that terminates TMM. Termination of TMM halts traffic processing across the appliance until the process restarts. The associated weakness, [CWE-824], indicates the code accesses a pointer that has not been properly initialized, which can produce undefined behavior and process termination.
Root Cause
The root cause is improper handling of an uninitialized pointer within the DNS cache code path in TMM. When the DNS profile with caching is bound to a virtual server, the affected code path is reachable through normal DNS request handling. Crafted or anomalous DNS traffic exercises the unsafe path and dereferences an invalid pointer, causing TMM to crash.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends DNS traffic to the affected virtual server, reaching the DNS cache logic in TMM. Successful exploitation terminates TMM and creates a denial-of-service condition. Confidentiality and integrity are not impacted, but availability is high.
No public exploit code or proof-of-concept is available at this time. For technical specifics on affected versions and fixed builds, refer to the F5 Knowledge Base Article K000160945.
Detection Methods for CVE-2026-39458
Indicators of Compromise
- Unexpected restarts or core dumps of the tmm process on BIG-IP devices
- Entries in /var/log/ltm referencing TMM termination, segmentation faults, or DNS cache subsystem errors
- Brief but recurring traffic interruptions on virtual servers bound to a DNS profile with cache enabled
- Spikes in inbound DNS query volume preceding TMM failure events
Detection Strategies
- Monitor BIG-IP system logs and restjavad/tmm core files for crash signatures correlated with DNS traffic.
- Alert on TMM process restart events through SNMP traps or the iHealth diagnostic feed.
- Correlate DNS request anomalies against virtual servers that have DNS cache enabled in their DNS profile.
Monitoring Recommendations
- Forward BIG-IP syslog and high-speed logging streams to a centralized log platform for crash analysis.
- Track baseline DNS query rates per virtual server and alert on deviations.
- Enable health monitoring on affected virtual servers so upstream load balancers detect TMM outages quickly.
How to Mitigate CVE-2026-39458
Immediate Actions Required
- Identify all BIG-IP virtual servers with a DNS profile that has DNS cache enabled.
- Apply the fixed software versions listed in F5 K000160945 as soon as feasible.
- Restrict DNS traffic to the affected virtual servers using access control lists or upstream firewall rules where possible.
- Retire or upgrade any BIG-IP software running End of Technical Support (EoTS) versions, which are not evaluated for this issue.
Patch Information
F5 has published remediation guidance and fixed version information in F5 Knowledge Base Article K000160945. Administrators should consult the advisory for the specific fixed builds applicable to their BIG-IP branch and follow F5's standard upgrade procedure.
Workarounds
- Disable DNS cache within the DNS profile applied to the affected virtual servers if caching is not required.
- Remove or replace the DNS profile on virtual servers that do not require DNS handling.
- Apply source-IP restrictions or rate limits to DNS traffic reaching the virtual server until patching is complete.
# Configuration example: disable DNS cache on an affected DNS profile (tmsh)
tmsh modify ltm profile dns <profile_name> cache none
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
