📄 Description (English)
When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🤖 AI Executive Summary
CVE-2026-42409 is a denial-of-service vulnerability affecting F5 BIG-IP systems with HTTP/2 profiles and specific iRule configurations. The vulnerability causes the Traffic Management Microkernel (TMM) process to crash when processing certain HTTP requests, resulting in service unavailability. With a CVSS score of 7.5 and no patch currently available, this poses a significant risk to organizations relying on F5 load balancers for critical services.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 20, 2026 15:37
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses critical risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), and telecommunications providers (STC, Mobily) that utilize F5 BIG-IP for load balancing and traffic management. Saudi energy sector (ARAMCO, SEC) and healthcare organizations using F5 infrastructure are also at significant risk. The DoS impact could disrupt critical financial transactions, government services, and essential infrastructure. Organizations in the Kingdom relying on F5 for API gateways and DDoS mitigation are particularly vulnerable to service interruption.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Telecommunications
Energy and Utilities
Healthcare
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all F5 BIG-IP systems with HTTP/2 profiles and iRules containing HTTP::redirect or HTTP::respond commands
2. Implement network segmentation to restrict access to affected virtual servers
3. Enable enhanced monitoring and alerting for TMM process crashes
4. Document current iRule configurations for rapid rollback capability
COMPENSATING CONTROLS (until patch available):
1. Disable HTTP/2 profile on non-critical virtual servers if operationally feasible
2. Remove or modify iRules containing HTTP::redirect or HTTP::respond commands where possible
3. Implement rate limiting and request filtering at upstream network devices
4. Deploy WAF rules to block malformed HTTP/2 requests
5. Configure automatic TMM process restart with monitoring
DETECTION:
1. Monitor F5 system logs for TMM process termination events
2. Alert on unexpected virtual server unavailability
3. Track HTTP/2 connection anomalies and malformed requests
4. Implement continuous health checks for affected services
PATCHING:
1. Subscribe to F5 security advisories for patch availability
2. Prepare change management procedures for emergency patching
3. Test patches in non-production environment immediately upon release
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع أنظمة F5 BIG-IP التي تحتوي على ملفات تعريف HTTP/2 و iRules تحتوي على أوامر HTTP::redirect أو HTTP::respond
2. تطبيق تقسيم الشبكة لتقييد الوصول إلى خوادم افتراضية متأثرة
3. تفعيل المراقبة المحسنة والتنبيهات لأحداث توقف عملية TMM
4. توثيق تكوينات iRule الحالية لإمكانية الرجوع السريع
الضوابط البديلة (حتى توفر التصحيح):
1. تعطيل ملف تعريف HTTP/2 على الخوادم الافتراضية غير الحرجة إن أمكن
2. إزالة أو تعديل iRules التي تحتوي على أوامر HTTP::redirect أو HTTP::respond حيث يكون ذلك ممكناً
3. تطبيق تحديد معدل التدفق وتصفية الطلبات على أجهزة الشبكة العليا
4. نشر قواعد WAF لحجب طلبات HTTP/2 المشوهة
5. تكوين إعادة تشغيل عملية TMM التلقائية مع المراقبة
الكشف:
1. مراقبة سجلات نظام F5 لأحداث توقف عملية TMM
2. التنبيه على عدم توفر الخادم الافتراضي غير المتوقع
3. تتبع شذوذ اتصال HTTP/2 والطلبات المشوهة
4. تطبيق فحوصات صحة مستمرة للخدمات المتأثرة
التصحيح:
1. الاشتراك في تنبيهات أمان F5 لتوفر التصحيحات
2. تحضير إجراءات إدارة التغيير للتصحيح الطارئ
3. اختبار التصحيحات في بيئة غير الإنتاج فوراً عند الإصدار
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Change management procedures
ECC 2024 A.12.1.2 - Monitoring and logging of security events
🔵 SAMA CSF
SAMA CSF ID.RA-1 - Asset management and vulnerability identification
SAMA CSF PR.IP-12 - System and information integrity
SAMA CSF DE.CM-1 - Detection and monitoring of anomalies
🟡 ISO 27001:2022
ISO 27001:2022 A.12.2.1 - Change management
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.8.1.3 - Segregation of duties
ISO 27001:2022 A.12.4.1 - Event logging
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 11.2 - Vulnerability scanning
PCI DSS 12.2 - Configuration standards
🔗 References & Sources 1