CVE-2026-42781 Overview
CVE-2026-42781 is a denial-of-service vulnerability affecting F5 systems that use embedded Packet Velocity Acceleration (ePVA) hardware acceleration. When ePVA acceleration is configured, undisclosed local ethernet traffic can drive elevated resource utilization in both the ePVA subsystem and the Traffic Management Microkernel (TMM). The flaw is tracked under CWE-835, Loop with Unreachable Exit Condition. Exploitation requires adjacent network access and no authentication, making it reachable by any device on the same broadcast domain. F5 notes that software versions which have reached End of Technical Support (EoTS) were not evaluated.
Critical Impact
Adjacent attackers can degrade or exhaust TMM and ePVA resources, disrupting traffic processing on affected F5 appliances without authentication or user interaction.
Affected Products
- F5 platforms with embedded Packet Velocity Acceleration (ePVA) hardware acceleration
- F5 Traffic Management Microkernel (TMM) configurations using ePVA
- Specific affected versions are listed in F5 Support Article K000160862
Discovery Timeline
- 2026-05-13 - CVE-2026-42781 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42781
Vulnerability Analysis
The vulnerability lives in the interaction between F5's embedded Packet Velocity Acceleration (ePVA) hardware fast path and the Traffic Management Microkernel (TMM). ePVA offloads flow processing to hardware to reduce TMM CPU load. When specific local ethernet frames reach the device, ePVA enters a processing condition consistent with [CWE-835], a loop with an unreachable exit condition.
The result is elevated CPU and memory utilization in both ePVA and TMM. Sustained traffic can degrade throughput, increase latency, or interrupt traffic management entirely. F5 has not disclosed the exact frame characteristics that trigger the condition.
Root Cause
The root cause is improper handling of certain ethernet frames within the ePVA acceleration path. Frames that should be processed, dropped, or punted to slow path are instead retained in a state that drives repeated work in both the hardware-accelerated path and the TMM software path. The systemic effect is resource exhaustion rather than memory corruption or information disclosure.
Attack Vector
Exploitation requires adjacent network access (AV:A). An attacker must be on the same layer-2 segment as the affected appliance. No privileges (PR:N) and no user interaction (UI:N) are required. The impact is limited to availability (VA:H), with no confidentiality or integrity impact. Because the trigger is local ethernet traffic, the attacker does not need to traverse routed networks or bypass perimeter controls.
No public proof-of-concept exists and the issue is not listed in CISA KEV. Refer to F5 Support Article K000160862 for the vendor's technical description.
Detection Methods for CVE-2026-42781
Indicators of Compromise
- Sustained spikes in TMM CPU utilization without a corresponding rise in legitimate traffic volume
- Elevated ePVA processing counters or hardware acceleration queue depth reported by tmctl or platform telemetry
- Increased ethernet frame rates on local interfaces from unexpected source MAC addresses
Detection Strategies
- Baseline TMM and ePVA resource utilization and alert on deviations beyond expected operational ranges
- Inspect layer-2 traffic on segments adjacent to F5 appliances for anomalous broadcast or unicast patterns
- Correlate F5 platform health metrics with switch port counters to identify the source of triggering traffic
Monitoring Recommendations
- Forward F5 platform logs and SNMP metrics to a centralized SIEM for trend analysis and alerting
- Monitor iControl REST health endpoints for TMM CPU, memory, and connection table saturation events
- Track per-VLAN and per-interface ethernet error and frame rate counters for sudden increases
How to Mitigate CVE-2026-42781
Immediate Actions Required
- Review F5 Support Article K000160862 to identify affected versions in your environment
- Apply the fixed software version published by F5 for platforms running ePVA acceleration
- Restrict layer-2 access to F5 management and data-plane interfaces to trusted devices only
Patch Information
F5 has published remediation guidance in F5 Support Article K000160862. Upgrade affected systems to a software version that addresses the ePVA handling defect. Versions that have reached End of Technical Support are not evaluated and should be retired or upgraded.
Workarounds
- Disable embedded Packet Velocity Acceleration (ePVA) where operationally acceptable until patching is complete
- Enforce strict VLAN segmentation to limit which hosts share a broadcast domain with F5 appliances
- Apply layer-2 controls such as port security, storm control, and MAC filtering on adjacent switch ports
# Configuration example - consult F5 documentation before applying in production
# Verify ePVA acceleration status on the affected platform
tmsh show sys hardware | grep -i epva
# Review current software version against K000160862
tmsh show sys version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
