CVE-2026-40396

Name of the Vulnerable Software and Affected Versions Varnish Cache versions prior to 9.0.1

Description Varnish Cache 9 before 9.0.1 is susceptible to a denial of service due to a workspace overflow, potentially leading to a daemon panic. A malicious client can exploit this by sending an HTTP/1 request, waiting for the session to release its worker thread, and then resuming traffic before the session is fully closed, sending multiple requests simultaneously. This triggers a pipelining operation that can cause a workspace overflow, resulting in a server crash. The issue stems from a port of the Varnish Enterprise non-blocking architecture for HTTP/2 and incomplete workspace rollback during pipelining configuration.

Recommendations Update to Varnish Cache version 9.0.1 or later.