CVE-2026-40396
Workspace Overflow DoS in Varnish Cache
Publication date: 2026-04-12
Last updated on: 2026-04-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vinyl-cache | vinyl_cache | 9.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-40396 is a vulnerability in Varnish Cache 9.0.0 that allows a denial of service (DoS) attack through a workspace overflow causing the server to panic and crash.
The issue arises when a malicious client sends an HTTP/1 request and waits until the session releases its worker thread (timeout_linger), then resumes traffic before the session fully closes (timeout_idle). By sending multiple requests simultaneously, the client triggers a pipelining operation between requests.
This vulnerability originated from porting Varnish Enterpriseβs non-blocking architecture for HTTP/2 to Varnish Cache 9.0.0, which required adapting to a newer workspace API. During this process, a code path was missed that should have ensured a complete workspace rollback during pipelining, losing the guarantee that prefetched data fits inside the workspace_client.
As a result, the workspace can overflow, triggering a panic and crashing the Varnish server.
Additionally, the vulnerability involves missing error handling in the function HTC_RxInit() in the source code, which leads to a crash when certain conditions fail during HTTP/1 request processing.
How can this vulnerability impact me? :
This vulnerability can cause the Varnish Cache server to crash unexpectedly, resulting in a denial of service.
An attacker can exploit this by sending specially crafted HTTP/1 requests that trigger workspace overflow and cause the server to panic and terminate worker threads.
The impact includes service interruptions, degraded availability, and potential downtime for applications relying on Varnish Cache for caching and acceleration.
Since the crash is intermittent and can cause request hangs, it may also lead to unpredictable behavior and reduced reliability of the caching infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability causes intermittent crashes and panics in the Varnish Cache server, specifically in the worker threads handling HTTP/1 requests. Detection can focus on monitoring varnishd logs for panic messages or crashes related to the function HTC_RxInit() and cache-worker thread terminations.
Since the crash occurs when a malicious client sends pipelined HTTP/1 requests exploiting lingering sessions, network detection can involve monitoring for unusual HTTP/1 pipelining behavior where multiple requests are sent simultaneously after a timeout_linger period but before timeout_idle.
Suggested commands to detect the issue include:
- Check varnishd logs for panic or crash messages: `journalctl -u varnish` or `tail -f /var/log/varnish/varnish.log`
- Use systemd or process monitoring to detect varnishd worker thread crashes or restarts.
- Capture and analyze HTTP traffic with tcpdump or Wireshark filtering for HTTP/1 pipelined requests: `tcpdump -i <interface> -s 0 -w capture.pcap 'tcp port 80 or tcp port 6081'`
- Use varnishstat or varnishlog to monitor session and worker thread behavior for anomalies.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Varnish Cache to version 9.0.1 or later, where this vulnerability has been fixed by addressing the workspace overflow and adding proper error handling.
Until an upgrade can be performed, consider the following immediate steps:
- Temporarily disable or restrict HTTP/1 pipelining to prevent malicious clients from exploiting lingering sessions.
- Adjust timeout_linger and timeout_idle settings to reduce the window where pipelining can be exploited.
- Monitor varnishd logs closely for crashes and restart varnishd promptly to minimize downtime.
- Implement network-level protections such as rate limiting or filtering suspicious HTTP/1 pipelined requests.