CVE-2026-40394

EUVD-2026-21738
Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Affected Products (NVD)
VendorProductVersion
varnish-softwarevarnish_enterprise
𝑥
≤ 6.0.15
varnish-softwarevarnish_enterprise
6.0.16:r1
varnish-softwarevarnish_enterprise
6.0.16:r10
varnish-softwarevarnish_enterprise
6.0.16:r2
varnish-softwarevarnish_enterprise
6.0.16:r3
varnish-softwarevarnish_enterprise
6.0.16:r4
varnish-softwarevarnish_enterprise
6.0.16:r5
varnish-softwarevarnish_enterprise
6.0.16:r6
varnish-softwarevarnish_enterprise
6.0.16:r7
varnish-softwarevarnish_enterprise
6.0.16:r8
varnish-softwarevarnish_enterprise
6.0.16:r9
vinyl-cachevinyl_cache
9.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
varnish
bookworm
7.1.1-2+deb12u1
fixed
bookworm (security)
7.1.1-2+deb12u1
fixed
bullseye
6.5.1-1+deb11u3
fixed
bullseye (security)
6.5.1-1+deb11u5
fixed
forky
7.7.3-2
fixed
sid
7.7.3-2
fixed
trixie
7.7.0-3
fixed
trixie (security)
7.7.0-3+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
varnish
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
trusty
needs-triage
xenial
ignored
Common Weakness Enumeration
References
https://docs.varnish-software.com/security/VEV00002/