Cyber Resilience

CVE-2026-2507

High

Published: 18 February 2026

Published
18 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2507 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-2507 is a denial-of-service vulnerability affecting F5 BIG-IP systems when the BIG-IP AFM (Advanced Firewall Manager) or BIG-IP DDoS modules are provisioned. Specific undisclosed traffic triggers a termination of the Traffic Management Microkernel (TMM), stemming from a NULL pointer dereference (CWE-476). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and was published on 2026-02-18.

Remote attackers require only network access, with no privileges, user interaction, or special conditions beyond low attack complexity. Exploitation causes TMM to crash, resulting in high-impact availability disruption by halting traffic processing on affected systems. Software versions that have reached End of Technical Support (EoTS) were not evaluated for this vulnerability.

Mitigation details are available in the F5 security advisory at https://my.f5.com/manage/s/article/K000160003.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote unauthenticated exploitation of a public-facing network appliance (BIG-IP) via crafted traffic to trigger TMM crash (NULL dereference), directly mapping to public-facing app exploitation and application/system DoS via vulnerability trigger.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27651Shared CWE-476
CVE-2026-33283Shared CWE-476
CVE-2026-23148Shared CWE-476
CVE-2025-20045Shared CWE-476
CVE-2026-32696Shared CWE-476
CVE-2026-42409Shared CWE-476
CVE-2026-25501Shared CWE-476
CVE-2026-8180Shared CWE-476
CVE-2026-28388Shared CWE-476
CVE-2025-63655Shared CWE-476

Affected Assets

Software
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation of the NULL pointer dereference flaw through vendor patches as specified in the F5 advisory.

prevent

Provides comprehensive denial-of-service protections tailored to block or mitigate the specific undisclosed traffic triggering TMM termination.

prevent

Ensures the system handles errors and exceptions, such as NULL pointer dereferences, without compromising availability by causing TMM crashes.

References