Description
Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.
Published: 2026-04-12
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Varnish Cache and Varnish Enterprise allows an attacker to trigger a workspace overflow that causes the daemon to panic and stop serving requests. It stems from a buffer allocation made during the HTTP/2 session upgrade, which, given certain amounts of prefetched data, can deplete available workspace and induce a denial of service. The weakness corresponds to CWE‑131 (Incorrect Calculation of Buffer Size) and CWE‑670 (Privilege Escalation). The result is loss of service for the affected instance, impacting application availability for all users of the server.

Affected Systems

Varnish Cache 9 versions prior to 9.0.1 and Varnish Enterprise 6 versions before 6.0.16r11 are affected. The issue applies to environments running Varnish on the corresponding software releases.

Risk and Exploitability

The CVSS score of 4 indicates moderate severity, and the EPSS score of less than 1% suggests low probability of current exploitation. The vulnerability has not been reported in the CISA KEV catalog. The exploit requires connection to the Varnish instance, configuration of an HTTP/2 session, and delivery of prefetched data that triggers the overflow, implying a remote or network‑based attack vector.

Generated by OpenCVE AI on April 14, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Varnish Cache to version 9.0.1 or later
  • Upgrade Varnish Enterprise to version 6.0.16r11 or later

Generated by OpenCVE AI on April 14, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Varnish-software varnish Enterprise
Vinyl-cache
Vinyl-cache vinyl Cache
CPEs cpe:2.3:a:varnish-software:varnish_enterprise:*:*:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r10:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r8:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r9:*:*:*:*:*:*
cpe:2.3:a:vinyl-cache:vinyl_cache:9.0.0:*:*:*:*:*:*:*
Vendors & Products Varnish-software varnish Enterprise
Vinyl-cache
Vinyl-cache vinyl Cache

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Varnish Cache Workspace Overflow Denial of Service via HTTP/2 Upgrade Varnish Cache: Varnish Enterprise: Varnish Cache and Varnish Enterprise: Denial of Service via workspace overflow
Weaknesses CWE-131
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Varnish Cache Workspace Overflow Denial of Service via HTTP/2 Upgrade

Sun, 12 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.
First Time appeared Varnish-software
Varnish-software varnish Cache
Weaknesses CWE-670
CPEs cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*
Vendors & Products Varnish-software
Varnish-software varnish Cache
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Varnish-software Varnish Cache Varnish Enterprise
Vinyl-cache Vinyl Cache
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-13T15:45:55.804Z

Reserved: 2026-04-12T19:17:33.934Z

Link: CVE-2026-40394

cve-icon Vulnrichment

Updated: 2026-04-13T15:45:53.119Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T20:16:17.857

Modified: 2026-04-17T14:35:23.607

Link: CVE-2026-40394

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-12T19:17:34Z

Links: CVE-2026-40394 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:12Z

Weaknesses