CVE-2022-23012 - Crashing BIG-IP with Undisclosed HTTP/2 Requests—Explained

If you’re running F5 BIG-IP for your enterprise load balancing and you’ve enabled HTTP/2 on your virtual servers, this vulnerability is a must-know. Let’s break down CVE-2022-23012 in clear and simple words, show you what goes wrong, demonstrate how it can be triggered, and most importantly—how to protect yourself.

What is CVE-2022-23012?

CVE-2022-23012 is a vulnerability found in certain versions of F5’s BIG-IP product when using the HTTP/2 profile on a virtual server. Specifically, versions 15.1.x before 15.1.4.1 and 14.1.x before 14.1.4.5 are affected.

When an attacker sends specifically crafted (undisclosed) HTTP/2 requests, the core traffic processor of BIG-IP, called the Traffic Management Microkernel (TMM), can unexpectedly terminate. That’s a fancy way of saying: If hit with these requests, your F5 may crash, dropping connections and causing outages.

> Important Note: F5 does _not_ evaluate versions that have reached End of Technical Support (EoTS). If you’re running super old software, you’re on your own.

Why it Matters

A crash in TMM doesn’t just mean a single connection is dropped—it often means the whole virtual server becomes unresponsive, causing outages for every user or service using that endpoint. For enterprise data centers, this is a big deal.

No code execution: This is a denial of service (crash), not remote code execution.

- No authentication needed: Anyone who can hit your virtual server can cause this crash, if they know how.
- All virtual servers with HTTP/2 profile: Any such server is vulnerable.

The Technical Heart of the Issue

While F5 hasn't disclosed the exact format of the malicious request, the clue is simple: the problem occurs if and only if the HTTP/2 profile is enabled on the virtual server.

The TMM, which is responsible for fast and efficient connection management and load balancing, has a bug when processing certain HTTP/2 frames or requests. By abusing this, an attacker can cause it to crash.


## Steps to Reproduce (Using HTTP/2)

While F5 did not publish a public Proof-of-Concept (PoC) (and this answer avoids real exploitation), here’s a general way researchers approach this type of bug:

1. Set up a vulnerable BIG-IP with HTTP/2 enabled.
2. Send a series of malformed or edge-case HTTP/2 frames.

Observe the crash in TMM.

A simple HTTP/2 client, like h2c or nghttp (open-source HTTP/2 tools), can be used to fuzz or test the server:

# Using nghttp to send various HTTP/2 requests
nghttp -v -n https://bigip-victim.example.com/

Researchers might use custom scripts or fuzzers to generate frames with unexpected headers, stream IDs, or invalid payloads. Here’s a rough Python snippet that shows the concept of sending raw HTTP/2 frames:

import socket
import ssl

context = ssl.create_default_context()
with socket.create_connection(('bigip-victim.example.com', 443)) as sock:
    with context.wrap_socket(sock, server_hostname='bigip-victim.example.com') as ssock:
        # Send a raw HTTP/2 preface
        ssock.sendall(b'PRI * HTTP/2.\r\n\r\nSM\r\n\r\n')
        # Send a deliberately malformed frame (example - not actual exploit)
        ssock.sendall(b'\x00\x00\x00\x00\x00\x00\x00\x00\x00')

Note: This does _not_ exploit the bug, just shows the idea. Real exploitation would require targeting whatever specific "undisclosed requests" cause the crash.

Existing users are disconnected.

- New users cannot connect until TMM restarts (which may happen automatically or require manual intervention).

14.1.4.5 and newer

If you’re on an older version, upgrade as soon as possible.

F5 Security Advisory:
https://support.f5.com/csp/article/K41551269

If you can’t upgrade right away

- Disable the HTTP/2 profile from any public-facing virtual servers.

References

- F5 Security Advisory – K41551269 (CVE-2022-23012)
- NVD CVE Entry
- F5 BIG-IP HTTP/2 Profile Documentation

Final Thoughts

Keeping your load balancers—and all your infrastructure—up to date is more important than ever. Even features that seem like “just a checkbox” (like HTTP/2) can have big consequences if left unchecked.

If you still use affected BIG-IP versions with HTTP/2 enabled, you are at risk for service outages caused by trivial crashes. Patch now, or disable HTTP/2, and keep an eye on your appliances.

Feel free to share your own experience or questions about this CVE in the comments!


Stay safe, and keep your infrastructure resilient!

Timeline

Published on: 01/25/2022 20:15:00 UTC
Last modified on: 02/01/2022 17:52:00 UTC