Denial of Service Vulnerability in Varnish Cache by Varnish Software
CVE-2026-40396

4MEDIUM

Key Information:

Vendor: Varnish-software
Status: Varnish Cache
Vendor: CVE Published:; 12 April 2026

🔔 Create Varnish-software Vulnerability Alert

What is CVE-2026-40396?

A vulnerability in Varnish Cache 9.0.0 allows for denial of service due to workspace overflow caused by improper management of HTTP/1 requests. When a malicious client exploits the timeout settings and sends multiple requests simultaneously, it can lead to a pipelining operation that triggers a panic, resulting in the Varnish server crashing. This issue stems from conflicts in code adaptation related to workspace management, showing how new implementations can introduce unforeseen vulnerabilities.

Affected Version(s)

Varnish Cache 9.0.0 < 9.0.1

References

https://github.com/varnish/varnish/releases/tag/varnish-9...

https://github.com/varnish/varnish/issues/15

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 12, 2026
Vulnerability Reserved
Apr 12, 2026

CVE-2026-40396 Data

JSON