Skip to main content

Red Hat CVE-2026-40396

| EUVDEUVD-2026-21742 MEDIUM
Always-Incorrect Control Flow Implementation (CWE-670)
2026-04-12 mitre
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 17, 2026 - 14:38 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
9.0.1
Analysis Generated
Apr 12, 2026 - 19:55 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 19:45 euvd
EUVD-2026-21742
Analysis Generated
Apr 12, 2026 - 19:45 vuln.today
CVE Published
Apr 12, 2026 - 19:23 nvd
MEDIUM 4.0

DescriptionCVE.org

Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.

AnalysisAI

Varnish Cache 9.0.0 crashes (denial of service) when a remote client exploits timing between timeout_linger and timeout_idle to trigger HTTP/1 request pipelining that causes a workspace overflow in the refactored HTTP/2 architecture. The vulnerability stems from incomplete code path handling during workspace rollback in the recent non-blocking port, allowing prefetched data to exceed workspace_client boundaries and panic the daemon. Vendor-released patch: version 9.0.1. No public exploit code identified at time of analysis, but the attack requires only network access and careful timing, making real-world exploitation feasible for sophisticated attackers.

Technical ContextAI

Varnish Cache is a high-performance HTTP reverse proxy and caching engine. The vulnerability roots in CWE-670 (Always-Incorrect Control Flow Implementation) within the workspace memory management subsystem introduced during Varnish 9.0.0's port of Varnish Enterprise's non-blocking HTTP/2 architecture to the open-source codebase. The workspace API formalizes request pipelining operations and enforces memory boundaries via workspace_client limits. The bug manifests in a code path that performs incomplete workspace rollback during the transition between pipelined requests, violating the invariant that prefetched data must fit within workspace_client. When a malicious client sends an HTTP/1 request, waits for timeout_linger to release the worker thread, then resumes with multiple pipelined requests before timeout_idle closes the session, the incomplete rollback fails to reclaim workspace space, triggering heap or stack corruption detected by Varnish's panic handler.

RemediationAI

Upgrade Varnish Cache to version 9.0.1 or later immediately. Vendor-released patch: version 9.0.1. For organizations unable to patch immediately, consider temporary mitigation: reduce timeout_linger to near-zero values to eliminate the timing window between worker thread release and session closure, reducing pipelining opportunities; however, this may impact performance for legitimate keep-alive clients. Alternatively, implement network-level request pipelining detection or rate-limiting at reverse proxy or load balancer level to constrain the attack surface. Refer to the official Varnish advisory at https://github.com/varnish/varnish/releases/tag/varnish-9.0.1 and monitor https://github.com/varnish/varnish/issues/15 for additional context.

Vendor StatusVendor

Share

CVE-2026-40396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy