Platform
linux
Component
varnish-enterprise
Fixed in
6.0.16r12
CVE-2026-40395 describes a Denial of Service (DoS) vulnerability discovered in Varnish Enterprise. This flaw allows an attacker to induce a daemon panic, effectively crashing the service, through a workspace overflow within shared VCL configurations. The vulnerability impacts versions 6.0.9r5 through 6.0.16r12, and a fix is available in version 6.0.16r12.
The primary impact of CVE-2026-40395 is a denial of service. A successful exploit can lead to a daemon panic, causing Varnish Enterprise to become unavailable. This disruption can impact the delivery of cached content, leading to website downtime and potentially affecting application availability. The vulnerability stems from the headerplus.writereq0() function within the vmodheaderplus module, which improperly handles header fields in shared VCL deployments. An attacker could craft a request with a large number of header fields to trigger the overflow, leading to the crash.
CVE-2026-40395 was publicly disclosed on 2026-04-12. The vulnerability's impact is relatively contained, focusing on denial of service rather than data compromise. There is no indication of this vulnerability being actively exploited at the time of publication, and no public proof-of-concept (PoC) code is currently available. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-40395 is to immediately upgrade Varnish Enterprise to version 6.0.16r12 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as limiting the number of header fields allowed in requests or restricting access to shared VCL configurations. While a WAF or proxy might offer some protection, it is not a substitute for patching. Monitor Varnish logs for unusual activity or error messages related to header processing. After upgrading, confirm the fix by sending a request with a large number of headers and verifying that the service remains stable.
Update Varnish Enterprise to version 6.0.16r12 or later to mitigate the risk of denial of service. The update fixes a workspace overflow vulnerability in the headerplus.write_req0() function, which could be exploited by malicious clients to cause server failure.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40395 is a Denial of Service vulnerability affecting Varnish Enterprise versions 6.0.9r5–6.0.16r12, allowing an attacker to cause a daemon panic through a workspace overflow in shared VCL configurations.
You are affected if you are running Varnish Enterprise versions 6.0.9r5 through 6.0.16r12. Upgrade to 6.0.16r12 or later to resolve this vulnerability.
The fix is to upgrade Varnish Enterprise to version 6.0.16r12 or later. If immediate upgrade is not possible, consider temporary workarounds like limiting header fields.
There is currently no evidence of CVE-2026-40395 being actively exploited, and no public proof-of-concept code is available.
Refer to the official Varnish Software security advisory for CVE-2026-40395 on the Varnish Software website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.