Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Lifecycle Timeline
6DescriptionCVE.org
Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.
AnalysisAI
Denial of service via workspace overflow in Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows unauthenticated remote attackers to trigger daemon panic through HTTP/2 session upgrade with specific amounts of prefetched data. The vulnerability exploits improper buffer allocation during HTTP/1 to HTTP/2 transport upgrade, causing workspace exhaustion on subsequent pipelined fetch operations. EPSS score of 4.0 (low-to-medium risk) reflects attack complexity and limited scope (local availability impact only), though no public exploit code or active exploitation has been confirmed.
Technical ContextAI
Varnish Cache is a high-performance HTTP accelerator and reverse proxy that manages request/response lifecycle using workspace buffers for memory allocation. The vulnerability resides in the HTTP/2 session initialization logic (CWE-670: Improper Error Handling) where a speculative HTTP/1 transport is established first, then upgraded to HTTP/2. During upgrade, the system allocates a buffer to reserve frame-sending capacity, which fragments the workspace. When the HTTP/1 request is repurposed as stream zero in the new HTTP/2 session and subsequent fetch operations attempt pipelining, the fragmented workspace becomes insufficient, causing allocation failure and daemon panic. The affected products are Varnish Cache versions prior to 9.0.1 and Varnish Enterprise versions before 6.0.16r11, as identified in the CPE string for a:varnish-software:varnish_cache.
RemediationAI
Upgrade Varnish Cache to version 9.0.1 or later, or upgrade Varnish Enterprise to version 6.0.16r11 or later. Administrators unable to patch immediately should monitor Varnish daemon logs for panic events triggered by workspace allocation failures during HTTP/2 session upgrade, and consider network-level rate limiting or request filtering on HTTP/2 upgrade attempts if feasible. Consult the vendor security advisory at https://docs.varnish-software.com/security/VEV00002/ for environment-specific guidance and confirmation of patched versions for your deployment.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21738
GHSA-26pg-g54q-jv62