{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-40395", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-12T19:21:08.847Z", "datePublished": "2026-04-12T19:21:09.265Z", "dateUpdated": "2026-04-13T15:45:30.791Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Varnish Enterprise", "vendor": "varnish-software", "versions": [{"lessThan": "6.0.16r12", "status": "affected", "version": "6.0.9r5", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Varnish Enterprise before 6.0.16r12 allows a \"workspace overflow\" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-12T19:33:44.790Z"}, "references": [{"url": "https://docs.varnish-software.com/security/VEV00003/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.9r5", "versionEndExcluding": "6.0.16r12"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:45:24.491498Z", "id": "CVE-2026-40395", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:45:30.791Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40395", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:45:24.491498Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:45:27.838Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "varnish-software", "product": "Varnish Enterprise", "versions": [{"status": "affected", "version": "6.0.9r5", "lessThan": "6.0.16r12", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.varnish-software.com/security/VEV00003/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Varnish Enterprise before 6.0.16r12 allows a \"workspace overflow\" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.0.16r12", "versionStartIncluding": "6.0.9r5"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-12T19:33:44.790Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40395", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:45:30.791Z", "dateReserved": "2026-04-12T19:21:08.847Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-12T19:21:09.265Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Varnish Enterprise before 6.0.16r12 allows a \"workspace overflow\" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients."}], "id": "CVE-2026-40395", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-12T20:16:18.893", "references": [{"source": "cve@mitre.org", "url": "https://docs.varnish-software.com/security/VEV00003/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "Varnish: Varnish Enterprise: Denial of Service via workspace overflow", "id": "2457698", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457698"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Varnish Enterprise. A remote attacker can exploit this vulnerability by sending a request with an excessive number of header fields. This can cause a \"workspace overflow\" within the vmod_headerplus module, leading to a daemon panic and crashing the Varnish Enterprise server. This results in a Denial of Service (DoS), making the server unavailable to legitimate users."], "name": "CVE-2026-40395", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "varnish", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "varnish:6/varnish", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "varnish", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-12T19:21:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40395\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40395\nhttps://docs.varnish-software.com/security/VEV00003/"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.0.9r5,6.0.16r12)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Varnish Enterprise", "source": "cna", "vendor": "varnish-software"}, "product": "varnish_enterprise", "vendor": "varnish-software"}], "analysis": {"en": {"generated_at": "2026-04-12T20:20:22.241626+00:00", "value": {"mitigation_remediation": ["Apply the latest patch or upgrade to Varnish Enterprise 6.0.16r12 or later.", "Verify that the application is no longer crashing after updating the VCL handling of request headers."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Varnish Software\u2019s Varnish Enterprise product is affected. Versions prior to 6.0.16r12 are vulnerable. No additional vendor or product details are specified beyond the product name.", "description_and_impact": "The vulnerability allows an attacker to trigger a workspace overflow by sending a request that carries an excessive number of header fields. The affected function, headerplus.write_req0(), updates the underlying request object that VCL uses for switching VCL contexts. Excess headers overflow the allocated workspace, causing the daemon to panic and crash. This results in a denial of service against the Varnish Enterprise server.", "risk_and_exploitability": "The CVSS base score is 4.0, indicating moderate impact. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation data. The attack vector is presumably remote, as a malicious client can craft HTTP requests with many headers. If exploited, the server would crash, leading to temporary denial of service until the process is restarted."}}}}, "created": "2026-04-13T12:38:13.690252+00:00", "title": "Workspace Overflow Denial of Service in Varnish Enterprise", "updated": "2026-04-13T12:54:01.564893+00:00", "vendors": ["varnish-software", "varnish-software$PRODUCT$varnish_enterprise"]}