Varnish Enterprise vóór 6.0.16r12 maakt een "workspace overflow" denial of service (daemon panic) mogelijk voor gedeelde VCL. De headerplus.write_req0() functie van vmod_headerplus update de onderliggende req0
Platform
linux
Component
varnish-enterprise
Opgelost in
6.0.16r12
CVE-2026-40395 is een Denial of Service (DoS) kwetsbaarheid in Varnish Enterprise. Deze kwetsbaarheid maakt het mogelijk een daemon panic te veroorzaken via een workspace overflow, specifiek gerelateerd aan shared VCL. De kwetsbaarheid treft versies van Varnish Enterprise tussen 6.0.9r5 en 6.0.16r12 inclusief. Een update naar versie 6.0.16r12 lost dit probleem op.
Impact en Aanvalsscenarios
CVE-2026-40395 in Varnish Enterprise, prior to version 6.0.16r12, allows a denial-of-service (DoS) attack that can lead to a daemon panic due to a shared VCL. The headerplus.writereq0() function within the vmodheaderplus module updates the underlying req0, which is normally the original read-only request from which req is derived. This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the vcl(<label>) action. An attacker could exploit this functionality to trigger a workspace overflow, leading to the daemon panic and service disruption. The severity of this issue depends on the criticality of the Varnish service and the ease with which an attacker can influence traffic passing through the server.
Uitbuitingscontext
The vulnerability is exploited through manipulation of HTTP requests passing through the Varnish server. An attacker could craft specially designed requests that, when processed by vmod_headerplus in shared VCL, trigger a workspace overflow. The complexity of exploitation depends on the VCL configuration and the attacker's ability to control the content of HTTP requests. The vulnerability is particularly concerning in environments where shared VCL is used, as it allows an attacker to impact multiple applications or services sharing the same VCL configuration.
Wie Loopt Risicowordt vertaald…
Organizations utilizing Varnish Enterprise for content caching, particularly those employing shared VCL configurations, are at risk. This includes deployments handling high volumes of traffic or those with complex header manipulation requirements. Shared hosting environments leveraging Varnish Enterprise are also potentially vulnerable.
Detectiestappenwordt vertaald…
• linux / server:
journalctl -u varnish -g 'workspace overflow'• linux / server:
ps aux | grep -i headerplus• generic web: Use curl to send a request with a large number of headers to the Varnish Enterprise server and monitor for errors or crashes.
Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.06% (17% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Hoog — vereist een race condition, niet-standaard configuratie of specifieke omstandigheden.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Geen — geen integriteitsimpact.
- Availability
- Laag — gedeeltelijke of intermitterende denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workarounds
The primary mitigation for this vulnerability is to upgrade Varnish Enterprise to version 6.0.16r12 or later. This version includes a fix that addresses the workspace overflow issue. While immediate upgrading may not be possible, reviewing and limiting the use of vmod_headerplus in shared VCL, especially in security-critical environments, is recommended. Monitoring Varnish logs for errors or unusual behavior can also help detect potential exploitation attempts. Implementing firewall rules to restrict access to the Varnish server to trusted sources can reduce the attack surface.
Hoe te verhelpenwordt vertaald…
Actualice Varnish Enterprise a la versión 6.0.16r12 o posterior para mitigar el riesgo de denegación de servicio. La actualización corrige una vulnerabilidad de desbordamiento del espacio de trabajo en la función headerplus.write_req0(), que podría ser explotada por clientes maliciosos para causar un fallo del servidor.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-40395 — DoS in Varnish Enterprise?
CVE-2026-40395 is a Denial of Service vulnerability affecting Varnish Enterprise versions 6.0.9r5–6.0.16r12, allowing an attacker to cause a daemon panic through a workspace overflow in shared VCL configurations.
Am I affected by CVE-2026-40395 in Varnish Enterprise?
You are affected if you are running Varnish Enterprise versions 6.0.9r5 through 6.0.16r12. Upgrade to 6.0.16r12 or later to resolve this vulnerability.
How do I fix CVE-2026-40395 in Varnish Enterprise?
The fix is to upgrade Varnish Enterprise to version 6.0.16r12 or later. If immediate upgrade is not possible, consider temporary workarounds like limiting header fields.
Is CVE-2026-40395 being actively exploited?
There is currently no evidence of CVE-2026-40395 being actively exploited, and no public proof-of-concept code is available.
Where can I find the official Varnish Enterprise advisory for CVE-2026-40395?
Refer to the official Varnish Software security advisory for CVE-2026-40395 on the Varnish Software website.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.