Key Information Vulnerability Description Vulnerability ID: K000140918, CVE-2025-36504 Affected Product: BIG-IP HTTP/2 Issue: When a BIG-IP HTTP/2 HttpProfile is configured on a virtual server, undisclosed responses may lead to increased memory usage. Impact System Performance Degradation: The Traffic Management Microkernel (TMM) process may be forced to restart or require manual restart. Remote Exploitation: Unauthenticated attackers can exploit this vulnerability to cause a denial-of-service (DoS) condition. Data Plane Issue: No control plane exposure. Security Advisory Status Classification: CVSS:7.70 - No resource allocation limits Assessment: Use PS diagnostic for vulnerability assessment. Affected Products and Versions BIG-IP Next (All Modules): - Versions: 20.x, 20.2.0 - 20.2.1 - Fixed Version: 20.3.0 - Severity: High(7.8) (CVSS v3.1), High(8.7) (CVSS v4.0) - Vulnerable Component: HTTP/2 profile BIG-IP Next SPK: - Versions: 2.x - Fixed Version: 2.0.0 - Severity: High(7.8) (CVSS v3.1), High(8.7) (CVSS v4.0) - Vulnerable Component: HTTP/2 profile BIG-IP Next CNF: - Versions: 2.x - Fixed Version: 2.0.0 - Severity: High(7.8) (CVSS v3.1), High(8.7) (CVSS v4.0) - Vulnerable Component: HTTP/2 profile Recommended Actions Install Patch: For known vulnerable versions, install the patch specified in the "Introduced Fix" column. Upgrade Version: If no patch is available for your running branch, upgrade to the next candidate version within the same branch. Remove HTTP/2 Configuration: Remove the HTTP/2 configuration from virtual servers.