Introduction - Engaging opening that highlights real impact and significance
A single HTTP2 request can disrupt application traffic for thousands of users if it causes the core data plane of a load balancer to crash. This scenario became a reality for organizations running F5 BIG-IP Next platforms after the disclosure of CVE-2025-58120, which exposes critical infrastructure to denial of service via a NULL pointer dereference in the Traffic Management Microkernel (TMM).
About F5: F5 is a global leader in application delivery and security, with products deployed at the core of enterprise, telecom, and cloud-native environments. Their BIG-IP and BIG-IP Next lines are foundational to traffic management for Fortune 50 companies, service providers, and cloud-native Kubernetes deployments. A vulnerability in these products can have cascading effects on digital services worldwide.
Technical Information
CVE-2025-58120 is a NULL pointer dereference vulnerability (CWE-476) in the Traffic Management Microkernel (TMM) of F5 BIG-IP Next platforms. The flaw is specifically triggered when HTTP2 Ingress is configured. Certain undisclosed HTTP2 traffic patterns can cause TMM to dereference a NULL pointer, leading to process termination and a denial of service for all traffic handled by the affected instance.
- Vulnerability trigger: Only when HTTP2 Ingress is enabled on the affected F5 BIG-IP Next products.
- Root cause: Insufficient validation of pointer values in the HTTP2 processing logic within TMM. When crafted HTTP2 traffic is received, the code attempts to access memory via a pointer that is NULL, resulting in a crash.
- Impact: Termination of TMM disrupts all active connections and traffic processing. While TMM may restart automatically, there is a window of service interruption.
- Exploit details: The vendor has not disclosed the exact traffic pattern required to trigger the flaw, limiting public exploitability but also hindering defensive detection.
No public code snippets or detailed proof of concept information are available for this vulnerability.
Affected Systems and Versions (MUST BE SPECIFIC)
The following F5 BIG-IP Next product versions are affected when HTTP2 Ingress is enabled:
- BIG-IP Next SPK (Service Proxy for Kubernetes):
- 2.x branch: versions 2.0.0 through 2.0.2
- 1.x branch: versions 1.7.0 through 1.9.2
- BIG-IP Next CNF (Cloud-Native Network Functions):
- 2.x branch: all versions up to those specified in the October 2025 security notification
- BIG-IP Next for Kubernetes:
- All versions with HTTP2 Ingress enabled, as referenced in F5's advisories
The vulnerability is only present when HTTP2 Ingress is configured. Systems without this feature enabled are not affected.
Vendor Security History
F5 has a history of high-impact vulnerabilities in its BIG-IP product line, including:
- Remote code execution (CVE-2021-22986)
- HTTP2 Rapid Reset denial of service (CVE-2023-44487)
The company typically issues coordinated quarterly security notifications and provides hotfixes and patches in line with industry standards. However, a recent breach of F5's development environment by a nation-state actor resulted in the theft of source code and information about undisclosed vulnerabilities, raising concerns about the exposure of sensitive security information and the potential for targeted attacks.