2457698 – (CVE-2026-40395) CVE-2026-40395 Varnish Enterprise: Varnish Enterprise: Denial of Service via workspace overflow

Bug 2457698 (CVE-2026-40395) - CVE-2026-40395 Varnish Enterprise: Varnish Enterprise: Denial of Service via workspace overflow

Summary: CVE-2026-40395 Varnish Enterprise: Varnish Enterprise: Denial of Service via ...

Keywords:
Status:	NEW
Alias:	CVE-2026-40395
Product:	Security Response
Classification:	Other
Component:	vulnerability-draft
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-12 20:01 UTC by OSIDB Bzimport
Modified:	2026-06-04 14:17 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-12 20:01:37 UTC

Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.

Note You need to log in before you can comment on or make changes to this bug.