CVE-2026-40395
Received Received - Intake
Workspace Overflow DoS in Varnish Enterprise Shared VCL

Publication date: 2026-04-12

Last updated on: 2026-04-17

Assigner: MITRE

Description
Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40395
EUVD
EUVD-2026-21740
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
varnish-software varnish_enterprise to 6.0.15 (inc)
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
varnish-software varnish_enterprise 6.0.16
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-40395 is a Denial of Service (DoS) vulnerability in Varnish Enterprise versions before 6.0.16r12 related to shared VCL (Varnish Configuration Language) deployments.

The vulnerability arises from the function headerplus.write_req0() in the vmod_headerplus module, which updates the underlying req0 object. Normally, req0 is the original read-only request from which req is derived and is both readable and writable from VCL.

This function is used in active VCLs to amend req and prepare a refined req0 before switching to a different VCL using the return (vcl(<label>)) action, a mechanism used by the Varnish Controller in shared VCL deployments.

If the amended req contains too many header fields for req0, it causes a workspace overflow that triggers a panic and crashes the Varnish Enterprise server. This can be exploited by malicious clients to perform a Denial of Service attack.

Impact Analysis

This vulnerability can cause the Varnish Enterprise server to crash due to a workspace overflow triggered by too many header fields in a request.

As a result, malicious clients can exploit this flaw to cause a Denial of Service (DoS), making the service unavailable to legitimate users.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade Varnish Enterprise to version 6.0.16r12 or later, where the issue is resolved.

After upgrading, you should restart the Varnish server to apply the fix.

Detection Guidance

This vulnerability is related to a workspace overflow in Varnish Enterprise versions before 6.0.16r12 when using shared VCL deployments with the vmod_headerplus module. Detection involves identifying if your Varnish Enterprise server is running a vulnerable version (6.0.9r5 up to 6.0.16r11) and if the vmod_headerplus module is in use with shared VCL.

To detect the vulnerability on your system, you can check the installed Varnish Enterprise version by running:

  • varnishd -V

If the version is within the vulnerable range, it is recommended to upgrade to 6.0.16r12 or later.

To monitor for potential exploitation attempts or crashes caused by this vulnerability, you can check Varnish logs for daemon panics or crashes related to workspace overflow.

Since the vulnerability is triggered by requests with too many header fields, you can use network monitoring tools or packet capture utilities (like tcpdump or Wireshark) to identify suspicious requests with an unusually large number of headers.

Example command to capture HTTP requests with many headers (using tcpdump):

  • tcpdump -i <interface> -A 'tcp port 80 or tcp port 443'

Then analyze the captured traffic for requests with excessive headers that might trigger the overflow.

Note: There are no specific commands provided in the resources for direct detection of this vulnerability beyond version checking and monitoring for crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40395. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart