CVE-2026-41227 Overview
CVE-2026-41227 is a denial-of-service vulnerability affecting F5 BIG-IP HTTP/2 virtual servers configured with Layer 7 DoS Protection. Undisclosed traffic patterns trigger uncontrolled memory growth in the Traffic Management Microkernel (TMM) process. The memory exhaustion forces TMM to terminate, disrupting traffic processing on the affected virtual server. The flaw maps to [CWE-770: Allocation of Resources Without Limits or Throttling]. F5 notes that software versions which have reached End of Technical Support (EoTS) are not evaluated. Refer to F5 Technical Article K000158979 for vendor guidance.
Critical Impact
A remote, unauthenticated attacker can terminate the TMM process on an HTTP/2 virtual server with Layer 7 DoS Protection enabled, disrupting application delivery and load balancing services.
Affected Products
- F5 BIG-IP deployments running an HTTP/2 virtual server
- BIG-IP configurations with Layer 7 DoS Protection enabled on the affected virtual server
- Software versions still under F5 Technical Support (EoTS versions are not evaluated)
Discovery Timeline
- 2026-05-13 - CVE-2026-41227 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41227
Vulnerability Analysis
The vulnerability resides in the Traffic Management Microkernel (TMM), the core data-plane process of F5 BIG-IP. TMM handles connection state, protocol parsing, and policy enforcement, including Layer 7 DoS Protection. When an HTTP/2 virtual server processes specific undisclosed traffic, memory allocations associated with Layer 7 DoS Protection grow without an enforced ceiling. The runaway allocation pattern eventually exceeds available memory, prompting the operating system or watchdog to terminate TMM.
Termination of TMM interrupts all traffic flowing through the BIG-IP data plane on the affected instance. Customers relying on the device for ingress, load balancing, or WAF enforcement experience service disruption until TMM restarts and rebuilds state.
Root Cause
The root cause is missing resource throttling [CWE-770] in the code path that handles HTTP/2 traffic under Layer 7 DoS Protection. Memory allocated to track or mitigate suspect requests is not bounded against attacker-controlled inputs. Without enforced quotas or eviction logic, attacker traffic drives allocations until the process is killed.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted HTTP/2 traffic toward a virtual server that has Layer 7 DoS Protection configured. The specific traffic pattern is not disclosed by F5. The result is a reliable denial-of-service condition against the data plane, impacting availability but not confidentiality or integrity. F5 has not published proof-of-concept code, and no public exploit is currently available.
No verified code examples are available for this vulnerability. Consult the F5 Technical Article K000158979 for vendor-supplied technical context.
Detection Methods for CVE-2026-41227
Indicators of Compromise
- Unexpected TMM process restarts logged in /var/log/ltm or shown by tmsh show sys proc-info tmm
- Sudden spikes in TMM resident memory followed by core dumps under /var/savecore/ or /shared/core/
- Connection resets and traffic interruptions on HTTP/2 virtual servers coinciding with elevated request volume
- High-rate or anomalous HTTP/2 stream patterns targeting virtual servers with Layer 7 DoS Protection profiles attached
Detection Strategies
- Monitor BIG-IP system logs for TMM panic, segfault, or restart events and correlate with inbound HTTP/2 traffic volume
- Baseline normal HTTP/2 request rates per virtual server and alert on deviations against virtual servers with DoS Protection profiles
- Ingest BIG-IP syslog and SNMP telemetry into a centralized SIEM or data lake to identify repeated TMM termination patterns across the fleet
Monitoring Recommendations
- Enable and forward tmm core file alerts and mcpd health notifications to your SOC
- Track memory utilization of the TMM process with sub-minute granularity to surface rapid growth
- Capture HTTP/2 frame-level telemetry on affected virtual servers to support post-incident traffic analysis
How to Mitigate CVE-2026-41227
Immediate Actions Required
- Inventory all BIG-IP virtual servers that use HTTP/2 profiles combined with Layer 7 DoS Protection
- Review F5 Technical Article K000158979 and apply the fixed version identified for your branch
- Confirm that BIG-IP instances are not running End of Technical Support (EoTS) versions, which are not evaluated by F5
- Restrict exposure of affected virtual servers behind upstream rate limiting or scrubbing where feasible
Patch Information
F5 publishes fixed software versions and mitigations in F5 Technical Article K000158979. Administrators should consult the advisory to identify the fixed release for their specific BIG-IP branch and schedule an upgrade through standard change management.
Workarounds
- Disable Layer 7 DoS Protection on HTTP/2 virtual servers if it is not strictly required, accepting the loss of that mitigation
- Disable HTTP/2 on affected virtual servers and fall back to HTTP/1.1 where application requirements permit
- Place an upstream rate limiter or WAF in front of the BIG-IP to constrain HTTP/2 request volume per source
- Apply source-IP allowlisting on management and high-value virtual servers to reduce attack surface
# Identify virtual servers with HTTP/2 and DoS Protection profiles attached
tmsh list ltm virtual one-line | grep -E 'http2|dos'
# Temporarily detach the DoS profile from an affected virtual server
tmsh modify ltm virtual <vs_name> profiles delete { <dos_profile_name> }
# Or disable HTTP/2 by removing the HTTP/2 profile
tmsh modify ltm virtual <vs_name> profiles delete { http2 }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
