CVE-2026-40396
published 2026-04-12CVE-2026-40396: Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.35%
26.5th percentile
Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| varnish-software | varnish_cache | >= 9.0.0 < 9.0.1 | 9.0.1 |
| vinyl-cache | vinyl_cache | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5pmq-jgg5-3j6q: Varnish Cache 9 before 9
ghsa_unreviewed·2026-04-12
CVE-2026-40396 [MEDIUM] CWE-670 GHSA-5pmq-jgg5-3j6q: Varnish Cache 9 before 9
Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The con
VulDB
varnish-software Varnish Cache up to 9.0.0 timeout_linger control flow
vuldb·2026-04-12·CVSS 4.0
CVE-2026-40396 [MEDIUM] varnish-software Varnish Cache up to 9.0.0 timeout_linger control flow
A vulnerability has been found in varnish-software Varnish Cache up to 9.0.0 and classified as problematic. The impacted element is the function timeout_linger. Performing a manipulation results in incorrect control flow.
This vulnerability is known as CVE-2026-40396. Remote exploitation of the attack is possible. No exploit is available.
The affected component should be upgraded.
Red Hat
varnish: Varnish Cache: Denial of Service via workspace overflow during HTTP/1 pipelining
vendor_redhat·2026-04-12·CVSS 4.0
CVE-2026-40396 [MEDIUM] CWE-131 varnish: Varnish Cache: Denial of Service via workspace overflow during HTTP/1 pipelining
varnish: Varnish Cache: Denial of Service via workspace overflow during HTTP/1 pipelining
A flaw was found in Varnish Cache. A malicious client can exploit a 'workspace overflow' vulnerability by sending an HTTP/1 request, waiting for the session to release its worker thread, and then resuming traffic with multiple requests to trigger a pipelining operation. This can lead to a workspace overflow, causing the Varnish server to panic and crash, resulting in a Denial of Service (DoS).
Package: varnish (Red Hat Enterprise Linux 10) - Not affected
Package: varnish:6/varnish (Red Hat Enterprise Linux 8) - Not affected
Package: varnish (Red Hat Enterprise Linux 9) - Not affected
No detection rules found.
No public exploits indexed.
2026-04-12
Published