F5 BIG-IP HTTP/2 NULL Pointer Dereference Vulnerability (CVE-2025-41414) Advisory

Critical Vulnerability Information Vulnerability Description Vulnerability ID: K000140986, CVE-2025-41414 Affected Product: BIG-IP HTTP/2 vulnerability Release Date: May 7, 2025 Update Date: May 7, 2025 Impact When both HTTP/2 client and server profiles are configured on a virtual server, an unannounced request may cause the Traffic Management Microkernel (TMM) to terminate. This is a data plane-only issue. Security Advisory Status F5 Product Development has assigned ID 1066457 (BIG-IP Next SPK) and ID 1096457-B (BIG-IP Next NMI) to this vulnerability. The issue is classified as CWE-476: NULL Pointer Dereference. Affected Products and Versions BIG-IP Next: - All modules: All versions known to be vulnerable. - Fixed version: Not applicable. - Severity/CVSS Score: Not vulnerable. - Vulnerable component or feature: None. BIG-IP Next Central Manager: - All modules: All versions known to be vulnerable. - Fixed version: Not applicable. - Severity/CVSS Score: Not vulnerable. - Vulnerable component or feature: None. BIG-IP Next SPK: - 2.x: Versions known to be vulnerable: 2.0.0. - 1.x: Versions known to be vulnerable: 1.8.0 - 1.9.2, 1.7.0 - 1.7.8. - Fixed version: 1.7.9. - Severity/CVSS Score: High (8.7) (CVSS v3.1), High (8.7) (CVSS v4.0). - Vulnerable component or feature: HTTP/2 profile. BIG-IP Next CNF: - 2.x: Versions known to be vulnerable: 2.0.0. - 1.x: Versions known to be vulnerable: 1.1.0 - 1.3.3. - Fixed version: 1.4.0. - Severity/CVSS Score: High (8.7) (CVSS v3.1), High (8.7) (CVSS v4.0). - Vulnerable component or feature: HTTP/2 profile. BIG-IP Next Kubernetes: - All modules: All versions known to be vulnerable. - Fixed version: Not applicable. - Severity/CVSS Score: Not vulnerable. - Vulnerable component or feature: None. BIG-IP and BIG-IQ: - 17.x: Versions known to be vulnerable: 17.0.0 - 17.1.3. - Fixed version: 17.1.4. - Severity/CVSS Score: High (8.7) (CVSS v3.1), High (8.7) (CVSS v4.0). - Vulnerable component or feature: Virtual server with HTTP/2 client and server profiles configured. Recommended Mitigation Measures Configure BIG-IP systems with high availability to mitigate the impact of this vulnerability. Use HA cluster configuration for the system. Configure HA tables to take specific actions.

Goal Reached Thanks to every supporter — we hit 100%!

F5 BIG-IP HTTP/2 NULL Pointer Dereference Vulnerability (CVE-2025-41414) Advisory