Platform
linux
Component
varnish-cache
Fixed in
9.0.1
CVE-2026-40394 describes a Denial of Service (DoS) vulnerability affecting Varnish Cache. This flaw allows attackers to cause a daemon panic, effectively crashing the Varnish Cache server, through carefully crafted requests with specific prefetched data amounts. The vulnerability impacts versions 9.0.0 through 9.0.1, as well as Varnish Enterprise versions prior to 6.0.16r11r1. A patch is available in version 9.0.1.
CVE-2026-40394 in Varnish Cache allows for a denial-of-service (DoS) attack that can lead to a daemon panic. This occurs due to a workspace overflow when handling large amounts of prefetched data. Specifically, the upgrade of an HTTP/1 session to HTTP/2, where the HTTP/1 request is repurposed as stream zero, involves a buffer allocation. If the amount of prefetched data is sufficiently large, this allocation can exceed workspace limits, resulting in a daemon panic and service disruption. The severity of this flaw lies in its potential to interrupt Varnish service availability, impacting web applications that rely on it for caching and acceleration.
Exploitation of CVE-2026-40394 requires the ability to control the amount of data prefetched by Varnish Cache. This could be achieved by manipulating HTTP headers or configuring Varnish to prefetch a large amount of data. An attacker could send an HTTP/2 request requesting a large amount of data, triggering the buffer allocation and workspace overflow. The complexity of exploitation depends on Varnish's configuration and the attacker's ability to influence the amount of prefetched data. Given the vulnerability's relation to HTTP/1 to HTTP/2 upgrades, attackers are likely to focus on scenarios where HTTP/2 is utilized.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40394 is to upgrade to a version of Varnish Cache that includes the fix. Affected versions are Varnish Cache 9.0 and earlier, and Varnish Enterprise prior to version 6.0.16r11. The patched version is Varnish Cache 9.0.1 and Varnish Enterprise 6.0.16r11 or later. Applying this update as soon as possible is recommended to prevent potential denial-of-service attacks. Additionally, monitor your Varnish server's resource usage for any anomalous behavior that might indicate exploitation attempts. If immediate updating isn't possible, consider temporary measures like limiting the amount of prefetched data, although this may impact caching performance.
Actualice Varnish Cache a la versión 9.0.1 o posterior para mitigar el riesgo de denegación de servicio. La actualización corrige un error que permite un desbordamiento del espacio de trabajo, lo que puede provocar un fallo del demonio al procesar grandes cantidades de datos prefetch.
Vulnerability analysis and critical alerts directly to your inbox.
Varnish Cache 9.0 and earlier, and Varnish Enterprise prior to 6.0.16r11.
Varnish Cache 9.0.1 and Varnish Enterprise 6.0.16r11 or later.
It's an error that occurs when a program attempts to use more memory than it has been allocated, in this case, Varnish Cache's workspace.
Check the version of Varnish Cache you are using. If it's earlier than the patched versions, you are vulnerable.
Consider limiting the amount of prefetched data as a temporary measure, although this may impact performance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.