Cyber Resilience

CVE-2026-42409

HighUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
23 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 17.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42409 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical…

more

Support (EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in public-facing HTTP/2 virtual server allows crafted requests to trigger NULL dereference crash in TMM (DoS via application exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20045Same product: F5 Big-Ip Access Policy Manager
CVE-2026-41956Same product: F5 Big-Ip Access Policy Manager
CVE-2025-21091Same product: F5 Big-Ip Access Policy Manager
CVE-2025-20058Same product: F5 Big-Ip Access Policy Manager
CVE-2025-21087Same product: F5 Big-Ip Access Policy Manager
CVE-2026-41218Same product: F5 Big-Ip Access Policy Manager
CVE-2026-41957Same product: F5 Big-Ip Access Policy Manager
CVE-2026-41225Same product: F5 Big-Ip Access Policy Manager
CVE-2025-24320Same product: F5 Big-Ip Access Policy Manager
CVE-2025-20029Same product: F5 Big-Ip Access Policy Manager

Affected Assets

f5
big-ip next cloud-native network functions
1.1.0 — 1.4.0 · 2.0.0 — 2.0.2
f5
big-ip next for kubernetes
2.0.0 — 2.1.0
f5
big-ip access policy manager
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1
f5
big-ip advanced firewall manager
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1
f5
big-ip advanced web application firewall
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1
f5
big-ip analytics
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1
f5
big-ip application acceleration manager
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1
f5
big-ip application security manager
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1
f5
big-ip application visibility and reporting
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1
f5
big-ip automation toolchain
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1
+13 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References