CVE-2026-40396

Source
https://cve.org/CVERecord?id=CVE-2026-40396
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40396.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40396
Downstream
Published
2026-04-12T19:23:03.408Z
Modified
2026-07-08T07:54:30.067866248Z
Severity
  • 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeoutlinger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeoutlinger) and resume traffic before the session is closed (timeoutidle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspaceclient during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40396.json",
    "cna_assigner": "mitre",
    "cwe_ids": [
        "CWE-670"
    ]
}
References

Affected packages

Git / github.com/varnish/varnish

Affected ranges

Type
GIT
Repo
https://github.com/varnish/varnish
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.0.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

varnish-9.*
varnish-9.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40396.json"