BIG-IP HTTP/2 vulnerability
Summary
| CVE | CVE-2026-59762 |
|---|---|
| State | PUBLISHED |
| Assigner | f5 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-15 15:16:46 UTC |
| Updated | 2026-07-15 16:23:03 UTC |
| Description | When an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Impact: System performance can degrade until the TMM process is either forced to restart or is manually restarted. This vulnerability allows a remote, unauthenticated attacker to cause a degradation of service that can lead to a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
Risk And Classification
Primary CVSS: v4.0 8.7 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-770 | CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
NoneIntegrity
NoneAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | F5 | BIG-IP | affected 21.1.0 21.1.0.1 custom | Not specified |
| CNA | F5 | BIG-IP | affected 21.0.0 21.0.0.3 custom | Not specified |
| CNA | F5 | BIG-IP | affected 17.5.0 17.5.1.8 custom | Not specified |
| CNA | F5 | BIG-IP | affected 17.1.0 17.1.3.4 custom | Not specified |
| CNA | F5 | BIG-IP Next For Kubernetes | affected 2.3.0 2.3.2 custom | Not specified |
| CNA | F5 | BIG-IP Next For Kubernetes | affected 2.0.0 2.2.3 custom | Not specified |
| CNA | F5 | BIG-IP Next SPK | affected 1.9.0 * custom | Not specified |
| CNA | F5 | BIG-IP Next SPK | affected 1.7.0 1.7.18 custom | Not specified |
| CNA | F5 | BIG-IP Next CNF | affected 2.3.0 2.3.2 custom | Not specified |
| CNA | F5 | BIG-IP Next CNF | affected 2.0.0 2.2.3 custom | Not specified |
| CNA | F5 | BIG-IP Next CNF | affected 1.1.0 1.4.3 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| my.f5.com/manage/s/article/K000162231 | [email protected] | my.f5.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: F5 acknowledges the Okta Red Team of Okta for bringing this issue to our attention and following the highest standards of coordinated disclosure. (en)
There are currently no legacy QID mappings associated with this CVE.