Description
Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.
Published: 2026-04-12
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Varnish Cache 9 before 9.0.1 permits a workspace overflow that leads to a daemon panic when a client performs HTTP/1 pipelining after a timeout. The overflow occurs because the prefetched data from one request may exceed the new workspace_client size during transition, causing a panic. This results in an abrupt service shutdown, denying availability to all users. The flaw is linked to improper buffer size handling (CWE-131) and synchronization errors (CWE-670). No remote code execution is possible; the attack is limited to causing a denial of service.

Affected Systems

The affected vendor is Varnish Software, product Varnish Cache. Versions 9.0.0 through any earlier build of 9.0.1 are vulnerable. The issue appears only in the 9.x series before the 9.0.1 release that addressed the workspace API adaptation. Systems running these versions and exposed to Internet clients that can send HTTP/1 pipelined requests are at risk.

Risk and Exploitability

The CVSS score of 4 denotes a medium impact on availability. EPSS reports less than 1% likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack likely originates from a remote client that can maintain a persistent connection and send a pipelined request after exploiting the timeout_linger behavior; the required conditions are publicly reachable HTTP/1 interfaces and unpatched Varnish Cache versions. Given the low exploitation probability and the nature of the attack, the overall risk is moderate, but the impact on availability can be severe for critical services.

Generated by OpenCVE AI on April 14, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Varnish Cache 9.0.1 or later
  • Verify the update and monitor for daemon panics
  • If upgrade is delayed, limit or disable HTTP/1 pipelining and adjust timeout settings, then monitor
  • Stay alert for further advisories from Varnish Software

Generated by OpenCVE AI on April 14, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Vinyl-cache
Vinyl-cache vinyl Cache
CPEs cpe:2.3:a:vinyl-cache:vinyl_cache:9.0.0:*:*:*:*:*:*:*
Vendors & Products Vinyl-cache
Vinyl-cache vinyl Cache

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Workspace Overflow Leading to Denial of Service in Varnish Cache 9.0.0 varnish: Varnish Cache: Denial of Service via workspace overflow during HTTP/1 pipelining
Weaknesses CWE-131
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Workspace Overflow Leading to Denial of Service in Varnish Cache 9.0.0

Sun, 12 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.
First Time appeared Varnish-software
Varnish-software varnish Cache
Weaknesses CWE-670
CPEs cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*
Vendors & Products Varnish-software
Varnish-software varnish Cache
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Varnish-software Varnish Cache
Vinyl-cache Vinyl Cache
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-13T15:35:43.858Z

Reserved: 2026-04-12T19:23:00.553Z

Link: CVE-2026-40396

cve-icon Vulnrichment

Updated: 2026-04-13T15:35:38.198Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T20:16:19.057

Modified: 2026-04-17T14:38:09.830

Link: CVE-2026-40396

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-12T19:23:03Z

Links: CVE-2026-40396 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:11Z

Weaknesses