2457695 – (CVE-2026-40394) CVE-2026-40394 Varnish Cache: Varnish Enterprise: Varnish Cache and Varnish Enterprise: Denial of Service via workspace overflow

Bug 2457695 (CVE-2026-40394) - CVE-2026-40394 Varnish Cache: Varnish Enterprise: Varnish Cache and Varnish Enterprise: Denial of Service via workspace overflow

Summary: CVE-2026-40394 Varnish Cache: Varnish Enterprise: Varnish Cache and Varnish E...

Keywords:
Status:	NEW
Alias:	CVE-2026-40394
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-12 20:01 UTC by OSIDB Bzimport
Modified:	2026-04-13 13:06 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-12 20:01:26 UTC

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.

Note You need to log in before you can comment on or make changes to this bug.