CVE-2026-59762: CWE-770: Allocation of Resources Without Limits or Throttling in F5 BIG-IP
When an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Impact: System performance can degrade until the TMM process is either forced to restart or is manually restarted. This vulnerability allows a remote, unauthenticated attacker to cause a degradation of service that can lead to a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-59762) in F5 BIG-IP arises from allocation of resources without limits or throttling (CWE-770) when an HTTP/2 profile is enabled on a virtual server. Undisclosed requests can cause excessive memory consumption, degrading system performance until the Traffic Management Microkernel (TMM) process restarts, either forcibly or manually. The vulnerability allows a remote, unauthenticated attacker to cause denial-of-service conditions on the BIG-IP system. It is a data plane issue with no control plane exposure. Affected versions explicitly include 17.1.0, 17.5.0, 21.0.0, and 21.1.0. No patch or remediation level has been provided by the vendor as of the published date.
Potential Impact
The vulnerability can cause significant degradation of system performance due to increased memory utilization, potentially leading to denial-of-service conditions by forcing the TMM process to restart. This impacts availability of the BIG-IP system but does not affect confidentiality or integrity. The attack can be performed remotely without authentication. There is no exposure of the control plane, limiting the scope to the data plane only.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, monitor system performance and consider limiting exposure of HTTP/2 profiles on virtual servers where feasible. No official remediation or temporary fix has been published by the vendor at this time.
CVE-2026-59762: CWE-770: Allocation of Resources Without Limits or Throttling in F5 BIG-IP
Description
When an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Impact: System performance can degrade until the TMM process is either forced to restart or is manually restarted. This vulnerability allows a remote, unauthenticated attacker to cause a degradation of service that can lead to a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS v3.1
Score 7.5high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-59762) in F5 BIG-IP arises from allocation of resources without limits or throttling (CWE-770) when an HTTP/2 profile is enabled on a virtual server. Undisclosed requests can cause excessive memory consumption, degrading system performance until the Traffic Management Microkernel (TMM) process restarts, either forcibly or manually. The vulnerability allows a remote, unauthenticated attacker to cause denial-of-service conditions on the BIG-IP system. It is a data plane issue with no control plane exposure. Affected versions explicitly include 17.1.0, 17.5.0, 21.0.0, and 21.1.0. No patch or remediation level has been provided by the vendor as of the published date.
Potential Impact
The vulnerability can cause significant degradation of system performance due to increased memory utilization, potentially leading to denial-of-service conditions by forcing the TMM process to restart. This impacts availability of the BIG-IP system but does not affect confidentiality or integrity. The attack can be performed remotely without authentication. There is no exposure of the control plane, limiting the scope to the data plane only.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, monitor system performance and consider limiting exposure of HTTP/2 profiles on virtual servers where feasible. No official remediation or temporary fix has been published by the vendor at this time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- f5
- Date Reserved
- 2026-07-08T15:49:43.031Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a579dce68715ace43e953d8
Added to database: 07/15/2026, 14:48:46 UTC
Last enriched: 07/15/2026, 15:04:24 UTC
Last updated: 07/16/2026, 03:41:27 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.