Search
On this page ▾
CVE-2021-22991 — F5 BIG-IP Traffic Management Microkernel Buffer Overflow

CVE-2021-22991

F5 BIG-IP TMM — Buffer Overflow in ASM Risk Engine Enabling URL-Based Access Control Bypass and Potential RCE on Traffic Processing Plane
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is F5 BIG-IP Traffic Management Microkernel?

The F5 BIG-IP Traffic Management Microkernel (TMM) is the core traffic processing engine of BIG-IP appliances, handling all packet forwarding, load balancing, and Layer 4–7 traffic processing in kernel space. TMM is responsible for applying WAF (Web Application Firewall) policies, URL filtering, and the Application Security Manager (ASM) risk engine — the component that enforces web application security policies for all traffic passing through the BIG-IP. Because TMM operates on the data plane (processing live network traffic), vulnerabilities in TMM affect the reliability and security of all application traffic flowing through BIG-IP, including the enforcement of security controls.

Overview

CVE-2021-22991 is a buffer overflow vulnerability (CWE-119) in the Traffic Management Microkernel's Application Security Manager (ASM) Risk Engine. An attacker can send crafted HTTP requests with long URL parameters that trigger a buffer overflow in the TMM process, potentially allowing the attacker to bypass URL-based access controls enforced by BIG-IP ASM and potentially achieving code execution in the TMM data plane. This vulnerability was disclosed alongside CVE-2021-22986 (the iControl REST RCE) in F5's March 2021 patch batch, but CISA added CVE-2021-22991 to KEV separately in January 2022 following confirmed exploitation.

Affected Versions

Product Vulnerable Fixed
BIG-IP 16.0.x before 16.0.1.1 Yes 16.0.1.1
BIG-IP 15.1.x before 15.1.2.1 Yes 15.1.2.1
BIG-IP 14.1.x before 14.1.4 Yes 14.1.4
BIG-IP 13.1.x before 13.1.3.6 Yes 13.1.3.6
BIG-IP 12.1.x before 12.1.5.3 Yes 12.1.5.3
BIG-IP 11.6.x before 11.6.5.3 Yes 11.6.5.3

Technical Details

The BIG-IP ASM Risk Engine processes HTTP request URLs to evaluate security policies and determine whether requests should be allowed or blocked. Processing of excessively long URL components triggers a buffer overflow in the TMM process:

  • Root cause: Buffer overflow (CWE-119) — the TMM ASM Risk Engine copies HTTP URL data into a fixed-size buffer without adequate length checking. An oversized URL value triggers an overflow
  • Traffic bypass: The overflow condition can cause the ASM security policy evaluation to fail or misbehave, allowing malicious HTTP requests that would otherwise be blocked by BIG-IP ASM to pass through to protected backend applications
  • Potential RCE: Beyond policy bypass, the buffer overflow may enable code execution in the TMM data plane context — which processes all network traffic through the BIG-IP appliance
  • Attack vector: Any HTTP/HTTPS request passing through a BIG-IP configured with ASM can be crafted to trigger the overflow — the attacker does not need to be an authenticated user of the BIG-IP management interface
  • Data plane impact: TMM crash or compromise affects all traffic flowing through the BIG-IP, not just the attacking connection

Discovery

Reported to F5 by external security researchers and patched as part of F5's March 2021 security advisory batch. The separate CISA KEV addition in January 2022 reflects confirmed exploitation distinct from the broader CVE-2021-22986 exploitation wave.

Exploitation Context

CVE-2021-22991 is particularly impactful in environments where BIG-IP ASM is deployed specifically to protect web applications from injection attacks and unauthorized access. Bypassing ASM security policies removes the primary application-layer security control for those applications. Combined with knowledge of backend application vulnerabilities, an attacker who can bypass BIG-IP ASM policies gains unrestricted access to protected applications. Organizations relying on BIG-IP ASM as their primary WAF should treat unpatched BIG-IP as providing no application-layer security protection for the affected URL patterns.

Remediation

  1. Apply F5 patches per Security Advisory K56715141 — update to the fixed versions listed above
  2. Prioritize patching if BIG-IP ASM (Application Security Manager) is deployed and protecting internet-facing applications
  3. Review BIG-IP ASM logs for unusual HTTP requests with abnormally long URL components that may indicate exploitation attempts
  4. After patching, verify that ASM security policies are functioning correctly — test with known malicious payloads to confirm blocking behavior
  5. Consider enabling BIG-IP ASM anomaly detection to identify traffic patterns consistent with buffer overflow exploitation attempts

Key Details

PropertyValue
CVE ID CVE-2021-22991
Vendor / Product F5 — BIG-IP Traffic Management Microkernel
NVD Published2021-03-31
NVD Last Modified2025-10-27
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-119 find similar ↗
CISA KEV Added2022-01-18
CISA KEV Deadline2022-02-01
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-02-01. Apply updates per vendor instructions.

Timeline

DateEvent
2021-03-10F5 releases patches for CVE-2021-22991 alongside other BIG-IP vulnerabilities
2021-03-31CVE published
2022-01-18Added to CISA Known Exploited Vulnerabilities catalog
2022-02-01CISA BOD 22-01 remediation deadline

References

ResourceType
F5 Security Advisory K56715141 — CVE-2021-22991 Vendor Advisory
NVD — CVE-2021-22991 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML