{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-40394", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-12T19:17:33.934Z", "datePublished": "2026-04-12T19:17:34.334Z", "dateUpdated": "2026-04-13T15:45:55.804Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Varnish Cache", "vendor": "varnish-software", "versions": [{"lessThan": "9.0.1", "status": "affected", "version": "9.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a \"workspace overflow\" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-12T19:32:07.658Z"}, "references": [{"url": "https://docs.varnish-software.com/security/VEV00002/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.1"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:45:49.035659Z", "id": "CVE-2026-40394", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:45:55.804Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40394", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:45:49.035659Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:45:53.119Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "varnish-software", "product": "Varnish Cache", "versions": [{"status": "affected", "version": "9.0.0", "lessThan": "9.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.varnish-software.com/security/VEV00002/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a \"workspace overflow\" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "9.0.1", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-12T19:32:07.658Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40394", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:45:55.804Z", "dateReserved": "2026-04-12T19:17:33.934Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-12T19:17:34.334Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a \"workspace overflow\" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace."}], "id": "CVE-2026-40394", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-12T20:16:17.857", "references": [{"source": "cve@mitre.org", "url": "https://docs.varnish-software.com/security/VEV00002/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "Varnish Cache: Varnish Enterprise: Varnish Cache and Varnish Enterprise: Denial of Service via workspace overflow", "id": "2457695", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457695"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a \"workspace overflow\" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.", "A flaw was found in Varnish Cache and Varnish Enterprise. A remote attacker can trigger a denial of service by sending specific amounts of prefetched data during an HTTP/2 session upgrade. This vulnerability, known as a \"workspace overflow,\" occurs when the system attempts to allocate a buffer, splitting the available memory workspace. Subsequent data processing then exhausts this limited workspace, causing the Varnish daemon to panic and become unavailable."], "name": "CVE-2026-40394", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "varnish", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "varnish:6/varnish", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "varnish", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-12T19:17:34Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40394\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40394\nhttps://docs.varnish-software.com/security/VEV00002/"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Varnish Cache", "source": "cna", "vendor": "varnish-software"}, "product": "varnish_cache", "vendor": "varnish-software"}], "analysis": {"en": {"generated_at": "2026-04-12T21:20:45.588038+00:00", "value": {"mitigation_remediation": ["Check the currently running Varnish Cache version", "Upgrade to Varnish Cache 9.0.1 or later, or to Varnish Enterprise 6.0.16r11 or later", "Restart the Varnish services to load the patched version"], "summary": {"action": "Upgrade", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Varnish Software\u2019s Varnish Cache versions before 9.0.1 and Varnish Enterprise versions before 6.0.16r11 are affected by this flaw.", "description_and_impact": "The vulnerability arises from a workspace overflow that occurs during the transition from a speculative HTTP/1 transport to an HTTP/2 session in Varnish Cache. When a buffer is allocated for the HTTP/2 session, the original workspace can be split, and if prefetched data is large enough the next fetch may run out of workspace, causing a daemon panic. This memory corruption flaw is identified as CWE\u2011670 and results in a denial of service when the Varnish process crashes.", "risk_and_exploitability": "The CVSS score of 4.0 indicates low to moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote client that initiates an HTTP/2 connection with data that triggers the overflow, leading to a service interruption."}}}}, "created": "2026-04-13T12:38:14.753647+00:00", "title": "Varnish Cache Workspace Overflow Denial of Service via HTTP/2 Upgrade", "updated": "2026-04-13T12:54:02.585960+00:00", "vendors": ["varnish-software", "varnish-software$PRODUCT$varnish_cache"]}