Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Lifecycle Timeline
6DescriptionCVE.org
Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.
AnalysisAI
Varnish Cache 9.0.0 crashes (denial of service) when a remote client exploits timing between timeout_linger and timeout_idle to trigger HTTP/1 request pipelining that causes a workspace overflow in the refactored HTTP/2 architecture. The vulnerability stems from incomplete code path handling during workspace rollback in the recent non-blocking port, allowing prefetched data to exceed workspace_client boundaries and panic the daemon. Vendor-released patch: version 9.0.1. No public exploit code identified at time of analysis, but the attack requires only network access and careful timing, making real-world exploitation feasible for sophisticated attackers.
Technical ContextAI
Varnish Cache is a high-performance HTTP reverse proxy and caching engine. The vulnerability roots in CWE-670 (Always-Incorrect Control Flow Implementation) within the workspace memory management subsystem introduced during Varnish 9.0.0's port of Varnish Enterprise's non-blocking HTTP/2 architecture to the open-source codebase. The workspace API formalizes request pipelining operations and enforces memory boundaries via workspace_client limits. The bug manifests in a code path that performs incomplete workspace rollback during the transition between pipelined requests, violating the invariant that prefetched data must fit within workspace_client. When a malicious client sends an HTTP/1 request, waits for timeout_linger to release the worker thread, then resumes with multiple pipelined requests before timeout_idle closes the session, the incomplete rollback fails to reclaim workspace space, triggering heap or stack corruption detected by Varnish's panic handler.
RemediationAI
Upgrade Varnish Cache to version 9.0.1 or later immediately. Vendor-released patch: version 9.0.1. For organizations unable to patch immediately, consider temporary mitigation: reduce timeout_linger to near-zero values to eliminate the timing window between worker thread release and session closure, reducing pipelining opportunities; however, this may impact performance for legitimate keep-alive clients. Alternatively, implement network-level request pipelining detection or rate-limiting at reverse proxy or load balancer level to constrain the attack surface. Refer to the official Varnish advisory at https://github.com/varnish/varnish/releases/tag/varnish-9.0.1 and monitor https://github.com/varnish/varnish/issues/15 for additional context.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21742