CVE-2026-40394

MEDIUM 4.0

CVSS Score

4.0

EPSS Score

0.0%

EPSS Percentile

12th

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.

CWE	CWE-670
Vendor	varnish-software
Product	varnish cache
Published	Apr 12, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for varnish-software varnish cache

Be the first to know when new medium vulnerabilities affecting varnish-software varnish cache are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

varnish-software / Varnish Cache

9.0.0 < 9.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.varnish-software.com: https://docs.varnish-software.com/security/VEV00002/