CVE-2026-40396: CWE-670 Always-Incorrect Control Flow Implementation in varnish-software Varnish Cache
Varnish Cache version 9. 0. 0 contains a vulnerability that allows a denial of service via a workspace overflow leading to a daemon panic. This occurs when a malicious client sends an HTTP/1 request, waits for the session to release its worker thread (timeout_linger), and then resumes traffic before the session closes (timeout_idle), sending multiple requests simultaneously to trigger pipelining. The issue stems from incomplete handling of workspace rollback during pipelining, causing prefetched data to exceed workspace limits and crash the server.
AI Analysis
Technical Summary
CVE-2026-40396 is a medium severity vulnerability in Varnish Cache 9.0.0 where improper control flow in the pipelining implementation causes a workspace overflow. This overflow triggers a daemon panic (crash) when a client exploits timing windows between timeout_linger and timeout_idle by sending multiple HTTP/1 requests in a pipelined manner. The root cause is a missed code path during merge conflict resolution adapting Varnish Enterprise's non-blocking HTTP/2 architecture to Varnish Cache, resulting in a failure to perform a complete workspace rollback and losing the guarantee that prefetched data fits within workspace_client. This leads to a denial of service condition.
Potential Impact
The vulnerability causes a denial of service by crashing the Varnish Cache server daemon. There is no indication of confidentiality or integrity impact. Exploitation requires network access and precise timing to trigger pipelining between requests. No known exploits are reported in the wild.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, consider restricting access to Varnish Cache 9.0.0 instances to trusted clients and monitor for unusual request patterns that may indicate attempts to exploit pipelining behavior.
CVE-2026-40396: CWE-670 Always-Incorrect Control Flow Implementation in varnish-software Varnish Cache
Description
Varnish Cache version 9. 0. 0 contains a vulnerability that allows a denial of service via a workspace overflow leading to a daemon panic. This occurs when a malicious client sends an HTTP/1 request, waits for the session to release its worker thread (timeout_linger), and then resumes traffic before the session closes (timeout_idle), sending multiple requests simultaneously to trigger pipelining. The issue stems from incomplete handling of workspace rollback during pipelining, causing prefetched data to exceed workspace limits and crash the server.
CVSS v3.1
Score 4.0medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40396 is a medium severity vulnerability in Varnish Cache 9.0.0 where improper control flow in the pipelining implementation causes a workspace overflow. This overflow triggers a daemon panic (crash) when a client exploits timing windows between timeout_linger and timeout_idle by sending multiple HTTP/1 requests in a pipelined manner. The root cause is a missed code path during merge conflict resolution adapting Varnish Enterprise's non-blocking HTTP/2 architecture to Varnish Cache, resulting in a failure to perform a complete workspace rollback and losing the guarantee that prefetched data fits within workspace_client. This leads to a denial of service condition.
Potential Impact
The vulnerability causes a denial of service by crashing the Varnish Cache server daemon. There is no indication of confidentiality or integrity impact. Exploitation requires network access and precise timing to trigger pipelining between requests. No known exploits are reported in the wild.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, consider restricting access to Varnish Cache 9.0.0 instances to trusted clients and monitor for unusual request patterns that may indicate attempts to exploit pipelining behavior.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-12T19:23:00.553Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dbf32682d89c981fb00945
Added to database: 4/12/2026, 7:31:50 PM
Last enriched: 4/20/2026, 6:21:31 AM
Last updated: 5/28/2026, 1:54:28 AM
Views: 88
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.