CVE-2026-2507
Published: 18 February 2026
Summary
CVE-2026-2507 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-2507 is a denial-of-service vulnerability affecting F5 BIG-IP systems when the BIG-IP AFM (Advanced Firewall Manager) or BIG-IP DDoS modules are provisioned. Specific undisclosed traffic triggers a termination of the Traffic Management Microkernel (TMM), stemming from a NULL pointer dereference (CWE-476). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and was published on 2026-02-18.
Remote attackers require only network access, with no privileges, user interaction, or special conditions beyond low attack complexity. Exploitation causes TMM to crash, resulting in high-impact availability disruption by halting traffic processing on affected systems. Software versions that have reached End of Technical Support (EoTS) were not evaluated for this vulnerability.
Mitigation details are available in the F5 security advisory at https://my.f5.com/manage/s/article/K000160003.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7911
Vulnerability details
When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation of a public-facing network appliance (BIG-IP) via crafted traffic to trigger TMM crash (NULL dereference), directly mapping to public-facing app exploitation and application/system DoS via vulnerability trigger.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely remediation of the NULL pointer dereference flaw through vendor patches as specified in the F5 advisory.
Provides comprehensive denial-of-service protections tailored to block or mitigate the specific undisclosed traffic triggering TMM termination.
Ensures the system handles errors and exceptions, such as NULL pointer dereferences, without compromising availability by causing TMM crashes.