Description
Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.
Published: 2026-04-12
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to trigger a workspace overflow by sending a request that carries an excessive number of header fields. The affected function, headerplus.write_req0(), updates the underlying request object that VCL uses for switching VCL contexts. Excess headers overflow the allocated workspace, causing the daemon to panic and crash. This results in a denial of service against the Varnish Enterprise server.

Affected Systems

Varnish Software’s Varnish Enterprise product is affected. Versions prior to 6.0.16r12 are vulnerable. No additional vendor or product details are specified beyond the product name.

Risk and Exploitability

The CVSS base score is 4.0, indicating moderate impact. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation data. The attack vector is presumably remote, as a malicious client can craft HTTP requests with many headers. If exploited, the server would crash, leading to temporary denial of service until the process is restarted.

Generated by OpenCVE AI on April 12, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade to Varnish Enterprise 6.0.16r12 or later.
  • Verify that the application is no longer crashing after updating the VCL handling of request headers.

Generated by OpenCVE AI on April 12, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r10:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r11:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r8:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r9:*:*:*:*:*:*

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Varnish: Varnish Enterprise: Denial of Service via workspace overflow
References
Metrics threat_severity

None

 threat_severity

Moderate

Sun, 12 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.
First Time appeared Varnish-software
Varnish-software varnish Enterprise
Weaknesses CWE-770
CPEs cpe:2.3:a:varnish-software:varnish_enterprise:*:*:*:*:*:*:*:*
Vendors & Products Varnish-software
Varnish-software varnish Enterprise
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Varnish-software Varnish Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-13T15:45:30.791Z

Reserved: 2026-04-12T19:21:08.847Z

Link: CVE-2026-40395

cve-icon Vulnrichment

Updated: 2026-04-13T15:45:27.838Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T20:16:18.893

Modified: 2026-04-17T14:37:34.147

Link: CVE-2026-40395

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-12T19:21:09Z

Links: CVE-2026-40395 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:54:01Z

Weaknesses