CVE-2026-41218 Overview
CVE-2026-41218 is a high-severity denial of service vulnerability in F5 BIG-IP Policy Enforcement Manager (PEM). When iRules using commands prefixed with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, or the urlcatquery command are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. The vulnerability is tracked as a Use After Free issue [CWE-416] and is exploitable remotely over the network without authentication or user interaction.
Critical Impact
Remote unauthenticated attackers can crash the TMM process by sending crafted traffic to a virtual server with vulnerable PEM iRules, disrupting all traffic processed by the affected BIG-IP device.
Affected Products
- F5 BIG-IP PEM (Policy Enforcement Manager) with iRules configured on a virtual server
- BIG-IP virtual servers using iRules with CLASSIFICATION::, CLASSIFY::, PEM::, or PSC:: commands
- BIG-IP virtual servers using iRules with the urlcatquery command
Discovery Timeline
- 2026-05-13 - CVE-2026-41218 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41218
Vulnerability Analysis
The vulnerability resides in the Traffic Management Microkernel (TMM), the core data plane process of F5 BIG-IP that handles all network traffic. When a virtual server is configured with PEM iRules using specific command families, processing certain traffic patterns triggers a use-after-free condition. The TMM process terminates as a result, halting traffic handling on the affected device. The attack vector is network-based, requires no privileges, and does not require user interaction. Impact is limited to availability — confidentiality and integrity are not affected.
Root Cause
The issue is classified as a Use After Free [CWE-416]. The PEM iRule command handlers — covering classification (CLASSIFICATION::, CLASSIFY::), policy enforcement (PEM::), subscriber control (PSC::), and URL category lookup (urlcatquery) — reference memory that has already been freed during traffic processing. F5 has not disclosed the specific traffic pattern that triggers the condition. Software versions that reached End of Technical Support (EoTS) were not evaluated by the vendor.
Attack Vector
An unauthenticated remote attacker sends crafted traffic to a virtual server bound to an iRule containing one of the affected PEM commands. The traffic triggers the use-after-free in TMM, which terminates and disrupts traffic forwarding. Because TMM is the central data plane process, its termination affects all virtual servers on the device, not only the one carrying the vulnerable iRule.
No verified public proof-of-concept is available. Refer to the F5 Article K000160875 for vendor-supplied technical details and the precise traffic conditions covered under their disclosure policy.
Detection Methods for CVE-2026-41218
Indicators of Compromise
- Unexpected TMM process restarts or core dumps on BIG-IP devices, typically logged under /var/log/ltm and /var/core/.
- Sudden loss of traffic processing across virtual servers correlated with crafted client requests.
- High-availability failover events triggered by TMM termination on the active unit.
Detection Strategies
- Audit iRules deployed on virtual servers for use of CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, or urlcatquery commands.
- Forward BIG-IP system logs and tmm crash events to a centralized logging or SIEM platform for correlation with network traffic.
- Monitor for repeated TMM restart patterns that align with specific client source IPs or request signatures.
Monitoring Recommendations
- Enable SNMP traps for TMM failure and HA failover events, and alert security operations on each occurrence.
- Track per-virtual-server connection drops and reset counters via tmsh show ltm virtual for anomalies.
- Retain TMM core files for forensic analysis to identify recurring crash signatures tied to PEM iRule processing.
How to Mitigate CVE-2026-41218
Immediate Actions Required
- Inventory all virtual servers and identify any iRule referencing CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, or urlcatquery.
- Apply the fixed software versions listed by F5 in the vendor advisory as soon as a maintenance window permits.
- Confirm that BIG-IP devices are running supported software, since End of Technical Support versions were not evaluated.
Patch Information
F5 has published remediation guidance in F5 Article K000160875. Administrators should review the advisory for the list of fixed releases for each affected BIG-IP branch and upgrade to a version that explicitly addresses CVE-2026-41218.
Workarounds
- Remove or disable the affected PEM iRule commands on virtual servers where they are not strictly required.
- Detach iRules containing the vulnerable commands from internet-facing virtual servers until patching is complete.
- Restrict access to virtual servers using firewall rules or source address filtering where business requirements allow.
# Identify iRules referencing vulnerable PEM commands on BIG-IP
tmsh list ltm rule | grep -E 'CLASSIFICATION::|CLASSIFY::|PEM::|PSC::|urlcatquery'
# List virtual servers and their attached iRules for review
tmsh list ltm virtual one-line | grep rules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
