High severity7.5NVD Advisory· Published Feb 9, 2017· Updated May 13, 2026

CVE-2016-9244

Description

A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.

Affected products

F5 Networks/F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, PEM, PSMv5
Range: 11.6.1 before 11.6.1 HF1 and 12.1.x before 12.1.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securitytracker.com/id/1037800nvdThird Party AdvisoryVDB Entry
support.f5.com/csp/article/K05121675nvdMitigationVendor Advisory
packetstormsecurity.com/files/141017/Ticketbleed-F5-TLS-Information-Disclosure.htmlnvd
www.securityfocus.com/bid/96143nvd
blog.filippo.io/finding-ticketbleed/nvd
filippo.io/Ticketbleed/nvd
github.com/0x00string/oldays/blob/master/CVE-2016-9244.pynvd
www.exploit-db.com/exploits/41298/nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.054
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000