CVE-2026-40394
Received Received - Intake
Workspace Overflow DoS in Varnish Cache HTTP/2 Handling

Publication date: 2026-04-12

Last updated on: 2026-04-17

Assigner: MITRE

Description
Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40394
EUVD
EUVD-2026-21738
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
varnish-software varnish_enterprise to 6.0.15 (inc)
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
vinyl-cache vinyl_cache 9.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40394 is a vulnerability in Varnish Cache and Varnish Enterprise that causes a workspace overflow during HTTP/2 session upgrades. When an HTTP/1 request is upgraded to HTTP/2, the system allocates a buffer to send frames to the client, which splits the original workspace. If there is a certain amount of prefetched data, subsequent fetch operations using pipelining can exceed the available workspace, causing an overflow.

This overflow triggers a daemon panic, effectively causing the Varnish service to crash. Malicious clients can exploit this to cause a Denial of Service (DoS) attack.

The issue affects Varnish Enterprise versions 6.0.14r1 through 6.0.16r10 and Varnish Cache 9.0.0, and is fixed in Varnish Enterprise 6.0.16r11 and Varnish Cache 9.0.1 by changing the buffer allocation strategy.

Impact Analysis

This vulnerability can be exploited by attackers to cause a Denial of Service (DoS) on systems running affected versions of Varnish Cache or Varnish Enterprise.

  • The overflow causes a daemon panic, crashing the Varnish service and disrupting normal operations.
  • Service downtime or unavailability can impact website or application performance that relies on Varnish for caching and acceleration.
  • Repeated exploitation could lead to persistent service interruptions, affecting user experience and business continuity.
Detection Guidance

The vulnerability causes a workspace overflow leading to a daemon panic during HTTP/2 session upgrades in Varnish Cache or Varnish Enterprise. Detection can involve monitoring for unexpected daemon panics or crashes related to HTTP/2 traffic.

Since the issue occurs during HTTP/2 upgrades and pipelining fetches, you can look for crash logs or panic messages in Varnish logs that indicate workspace overflow or daemon panic.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Varnish Cache to version 9.0.1 or later, or Varnish Enterprise to version 6.0.16r11 or later, where the vulnerability has been fixed.

After upgrading, restart the Varnish service to apply the fix.

The fix changes the buffer allocation strategy to prevent workspace fragmentation and overflow during HTTP/2 session upgrades.

Compliance Impact

The vulnerability described in CVE-2026-40394 is a denial of service (DoS) issue caused by a workspace overflow during HTTP/2 session upgrades in Varnish software. It does not involve unauthorized access, data leakage, or modification of sensitive information.

Because this vulnerability leads to service disruption rather than data compromise, its direct impact on compliance with data protection standards such as GDPR or HIPAA is limited. However, denial of service incidents can affect availability requirements under these regulations.

Organizations relying on Varnish for critical services should consider the potential availability impact and ensure timely patching to maintain compliance with availability and service continuity obligations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40394. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart