Skip to main content

Red Hat EUVDEUVD-2026-21740

| CVE-2026-40395 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-12 mitre
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Red Hat
4.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 17, 2026 - 14:37 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
6.0.16r12
Analysis Generated
Apr 12, 2026 - 19:55 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 19:45 euvd
EUVD-2026-21740
Analysis Generated
Apr 12, 2026 - 19:45 vuln.today
CVE Published
Apr 12, 2026 - 19:21 nvd
MEDIUM 4.0

DescriptionCVE.org

Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.

AnalysisAI

Varnish Enterprise before version 6.0.16r12 is vulnerable to a workspace overflow denial of service attack that crashes the daemon through the headerplus.write_req0() VCL function. Unauthenticated remote attackers can craft HTTP requests with excessive header fields to trigger a panic and terminate the Varnish server, particularly impacting deployments using shared VCL through Varnish Controller. CVSS base score of 4.0 reflects low availability impact with high attack complexity, and no public exploit code or confirmed active exploitation has been identified.

Technical ContextAI

Varnish Enterprise is a reverse proxy and HTTP accelerator that uses VCL (Varnish Configuration Language) for request processing. The vmod_headerplus module provides the write_req0() function to update the underlying req0 object (the original read-only request from which the writable req object is derived in VCL). This capability is essential for shared VCL deployments orchestrated by Varnish Controller, where requests are refined in one VCL context before switching to another via vcl(<label>) return statements. The vulnerability stems from insufficient bounds checking when writing amended request headers back to req0's workspace allocation. When the amended req object contains more header fields than req0's workspace can accommodate, a buffer overflow occurs in the workspace memory region, triggering a daemon panic. The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling), indicating the function lacks proper validation of header field count or size before attempting the write operation.

RemediationAI

Upgrade Varnish Enterprise to version 6.0.16r12 or later. This release includes fixes to the headerplus.write_req0() function to properly validate header field counts and workspace capacity before writing amended request headers back to req0, preventing the workspace overflow condition. As a temporary workaround for organizations unable to upgrade immediately, review and restrict VCL configurations that invoke headerplus.write_req0(), ensuring that incoming requests are validated or rate-limited to prevent excessive header field injection attacks. Consult the Varnish Software security advisory at https://docs.varnish-software.com/security/VEV00003/ for detailed patching procedures and configuration guidance specific to your deployment.

Vendor StatusVendor

Share

EUVD-2026-21740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy