Platform
linux
Component
varnish-cache
Fixed in
9.0.1
CVE-2026-40396 describes a Denial of Service (DoS) vulnerability in Varnish Cache versions 9.0.0 and 9.0.1. This flaw allows a malicious client to induce a daemon panic, effectively crashing the Varnish Cache service. The vulnerability stems from a workspace overflow condition related to timeout handling, introduced during the port of Varnish Enterprise's non-blocking architecture for HTTP/2. Affected users should upgrade to version 9.0.1 to resolve this issue.
An attacker can exploit this vulnerability by sending a carefully crafted sequence of HTTP/1 requests. The attacker initiates an HTTP/1 request, waits for the session's worker thread to release (timeoutlinger), and then resumes traffic before the session closes (timeoutidle), sending multiple requests concurrently. This pipelining operation triggers a workspace overflow, leading to a daemon panic and a denial of service. The impact is a complete disruption of the Varnish Cache service, preventing legitimate users from accessing cached content. This can lead to significant performance degradation and potential service outages, especially in environments heavily reliant on Varnish for content delivery.
CVE-2026-40396 was publicly disclosed on 2026-04-12. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score is 4.0 (MEDIUM), indicating a moderate level of potential impact.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40396 is to upgrade Varnish Cache to version 9.0.1 or later, which contains the fix. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While no direct configuration workaround exists to completely prevent the vulnerability, limiting the number of concurrent requests a client can make might reduce the likelihood of triggering the overflow. Monitor Varnish Cache logs for unusual patterns of requests that could indicate exploitation attempts. After upgrading, confirm the fix by sending a series of rapid HTTP/1 requests and verifying that the Varnish Cache service remains stable and does not experience daemon panics.
Update Varnish Cache to version 9.0.1 or higher to mitigate the risk of denial of service due to a workspace overflow. The update corrects an error in the handling of pipelining operations that can cause the server to crash.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40396 is a Denial of Service vulnerability affecting Varnish Cache versions 9.0.0 and 9.0.1, allowing a malicious client to trigger a daemon panic.
If you are running Varnish Cache versions 9.0.0 or 9.0.1, you are potentially affected by this vulnerability. Upgrade to 9.0.1 or later.
The recommended fix is to upgrade Varnish Cache to version 9.0.1 or a later version that addresses this vulnerability.
There is currently no evidence of active exploitation of CVE-2026-40396, but it's crucial to apply the patch proactively.
Refer to the official Varnish Cache security advisory for detailed information and updates regarding CVE-2026-40396: [https://www.varnish-cache.org/news/security/](https://www.varnish-cache.org/news/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.