PT-2026-40658 · F5 · Big-Ip

Published

2026-05-13

Updated

2026-05-17

CVE-2026-41218

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions F5 BIG-IP versions prior to 17.1.3.1 F5 BIG-IP versions prior to 17.5.1.4 F5 BIG-IP versions prior to 21.0.0.1

Description Undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate when PEM iRules are configured on a virtual server. This issue affects iRules utilizing the urlcatquery command or commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, and PSC::. The root cause is a use-after-free condition within the TMM.

Recommendations Update to version 17.1.3.1 or later. Update to version 17.5.1.4 or later. Update to version 21.0.0.1 or later.

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2026-41218

Affected Products

Big-Ip

PT-2026-40658 · F5 · Big-Ip

CVE-2026-41218

Weakness Enumeration

Related Identifiers

Affected Products

References · 3