Skip to main content

Red Hat EUVDEUVD-2026-21738

| CVE-2026-40394 MEDIUM
Always-Incorrect Control Flow Implementation (CWE-670)
2026-04-12 mitre GHSA-26pg-g54q-jv62
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 17, 2026 - 14:35 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
9.0.1
Analysis Generated
Apr 12, 2026 - 19:55 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 19:45 euvd
EUVD-2026-21738
Analysis Generated
Apr 12, 2026 - 19:45 vuln.today
CVE Published
Apr 12, 2026 - 19:17 nvd
MEDIUM 4.0

DescriptionCVE.org

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.

AnalysisAI

Denial of service via workspace overflow in Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows unauthenticated remote attackers to trigger daemon panic through HTTP/2 session upgrade with specific amounts of prefetched data. The vulnerability exploits improper buffer allocation during HTTP/1 to HTTP/2 transport upgrade, causing workspace exhaustion on subsequent pipelined fetch operations. EPSS score of 4.0 (low-to-medium risk) reflects attack complexity and limited scope (local availability impact only), though no public exploit code or active exploitation has been confirmed.

Technical ContextAI

Varnish Cache is a high-performance HTTP accelerator and reverse proxy that manages request/response lifecycle using workspace buffers for memory allocation. The vulnerability resides in the HTTP/2 session initialization logic (CWE-670: Improper Error Handling) where a speculative HTTP/1 transport is established first, then upgraded to HTTP/2. During upgrade, the system allocates a buffer to reserve frame-sending capacity, which fragments the workspace. When the HTTP/1 request is repurposed as stream zero in the new HTTP/2 session and subsequent fetch operations attempt pipelining, the fragmented workspace becomes insufficient, causing allocation failure and daemon panic. The affected products are Varnish Cache versions prior to 9.0.1 and Varnish Enterprise versions before 6.0.16r11, as identified in the CPE string for a:varnish-software:varnish_cache.

RemediationAI

Upgrade Varnish Cache to version 9.0.1 or later, or upgrade Varnish Enterprise to version 6.0.16r11 or later. Administrators unable to patch immediately should monitor Varnish daemon logs for panic events triggered by workspace allocation failures during HTTP/2 session upgrade, and consider network-level rate limiting or request filtering on HTTP/2 upgrade attempts if feasible. Consult the vendor security advisory at https://docs.varnish-software.com/security/VEV00002/ for environment-specific guidance and confirmation of patched versions for your deployment.

Vendor StatusVendor

Share

EUVD-2026-21738 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy