CVE-2026-40396: CWE-670 Always-Incorrect Control Flow Implementation in varnish-software Varnish Cache
Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.
AI Analysis
Technical Summary
CVE-2026-40396 affects Varnish Cache 9.0.0 and is caused by an always-incorrect control flow implementation (CWE-670) related to workspace management during HTTP request pipelining. The vulnerability arises from a port of Varnish Enterprise's non-blocking HTTP/2 architecture, where a code path was missed that should have ensured complete workspace rollback during pipelining transitions. This leads to a workspace overflow when a malicious client sends multiple HTTP/1 requests in a specific timing window, causing a daemon panic and server crash. The flaw does not affect confidentiality or integrity but results in a denial of service.
Potential Impact
The impact is limited to denial of service through a daemon panic and crash of the Varnish Cache server. There is no indication of confidentiality or integrity compromise. The vulnerability requires network access and high attack complexity, with no privileges or user interaction needed. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider limiting exposure of Varnish Cache 9.0.0 to untrusted clients or apply any recommended temporary mitigations from the vendor. Monitor vendor channels for updates and apply patches promptly once available.
CVE-2026-40396: CWE-670 Always-Incorrect Control Flow Implementation in varnish-software Varnish Cache
Description
Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40396 affects Varnish Cache 9.0.0 and is caused by an always-incorrect control flow implementation (CWE-670) related to workspace management during HTTP request pipelining. The vulnerability arises from a port of Varnish Enterprise's non-blocking HTTP/2 architecture, where a code path was missed that should have ensured complete workspace rollback during pipelining transitions. This leads to a workspace overflow when a malicious client sends multiple HTTP/1 requests in a specific timing window, causing a daemon panic and server crash. The flaw does not affect confidentiality or integrity but results in a denial of service.
Potential Impact
The impact is limited to denial of service through a daemon panic and crash of the Varnish Cache server. There is no indication of confidentiality or integrity compromise. The vulnerability requires network access and high attack complexity, with no privileges or user interaction needed. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider limiting exposure of Varnish Cache 9.0.0 to untrusted clients or apply any recommended temporary mitigations from the vendor. Monitor vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-12T19:23:00.553Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dbf32682d89c981fb00945
Added to database: 4/12/2026, 7:31:50 PM
Last enriched: 4/12/2026, 7:46:47 PM
Last updated: 4/12/2026, 9:03:45 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.