Description

Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.

INFO

Published Date :

2026-04-12T19:23:03.408Z

Last Modified :

2026-04-12T19:34:04.613Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40396 vulnerability.

Vendors Products
Varnish-software
  • Varnish Cache
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40396.

URL Resource
https://github.com/varnish/varnish/issues/15 cve-icon cve-icon
https://github.com/varnish/varnish/releases/tag/varnish-9.0.1 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact