Denial of Service Vulnerability in Varnish Enterprise by Varnish Software
CVE-2026-40395

4MEDIUM

Key Information:

Vendor: Varnish-software
Status: Varnish Enterprise
Vendor: CVE Published:; 12 April 2026

🔔 Create Varnish-software Vulnerability Alert

What is CVE-2026-40395?

Varnish Enterprise versions prior to 6.0.16r12 are vulnerable to a denial of service attack due to a workspace overflow in the headerplus.write_req0() function. This flaw allows malicious clients to exploit shared VCL deployments, resulting in server panic and crashes. The vulnerability arises when the amended req contains excessive header fields, causing the req0 to overflow and disrupt service. It is essential for users to upgrade to the latest version to mitigate the risk of these attacks.

Affected Version(s)

Varnish Enterprise 6.0.9r5 < 6.0.16r12

References

https://docs.varnish-software.com/security/VEV00003/

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 12, 2026
Vulnerability Reserved
Apr 12, 2026

CVE-2026-40395 Data

JSON