Cyber Resilience

CVE-2026-40394

Medium

Published: 12 April 2026

Published
12 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
EPSS Score 0.0006 19.1th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40394 is a medium-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Varnish-Software Varnish Enterprise. Its CVSS base score is 4.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-40394, published on 2026-04-12, is a workspace overflow vulnerability affecting Varnish Cache versions 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11. The flaw enables a denial of service (daemon panic) when processing certain amounts of prefetched data during HTTP/2 session upgrades. Specifically, an HTTP/2 session begins with a speculative HTTP/1 transport, which is repurposed as stream zero upon upgrade. This triggers a buffer allocation to reserve space for client frames, splitting the original workspace and potentially causing subsequent pipelining fetches to exhaust available workspace.

Unauthenticated remote attackers with network access (AV:N) can exploit this vulnerability, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Exploitation leads to a low-impact availability disruption (A:L) via daemon panic, with no confidentiality or integrity effects (C:N/I:N), but a changed scope (S:C), resulting in a CVSS v3.1 base score of 4.0. The issue stems from CWE-670 (Always-Incorrect Control Flow Implementation).

The Varnish Software security advisory (https://docs.varnish-software.com/security/VEV00002/) addresses this vulnerability, recommending upgrades to Varnish Cache 9.0.1 or Varnish Enterprise 6.0.16r11 as the primary mitigation.

EU & UK References

Vulnerability details

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading…

more

to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability is a remote DoS flaw in a public-facing web cache/proxy (Varnish) that causes daemon panic via workspace exhaustion during HTTP/2 upgrades; this directly maps to exploiting a software vulnerability to crash an application and deny availability (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40396Same product: Vinyl-Cache Vinyl Cache
CVE-2026-34475Same product: Varnish-Software Varnish Enterprise
CVE-2026-40395Same product: Varnish-Software Varnish Enterprise
CVE-2025-30347Same product: Varnish-Software Varnish Enterprise
CVE-2025-58136Shared CWE-670
CVE-2026-34946Shared CWE-670
CVE-2025-43359Shared CWE-670
CVE-2026-40960Shared CWE-670
CVE-2026-1874Shared CWE-670
CVE-2026-40200Shared CWE-670

Affected Assets

varnish-software
varnish enterprise
6.0.16 · ≤ 6.0.15
vinyl-cache
vinyl cache
9.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely flaw remediation through patching, directly addressing the workspace overflow vulnerability fixed in Varnish Cache 9.0.1 and Enterprise 6.0.16r11.

preventdetect

Implements denial-of-service protections to counter daemon panic from workspace exhaustion during HTTP/2 session upgrades with prefetched data.

prevent

Protects critical resources from unauthorized depletion, mitigating workspace overflow triggered by buffer allocation splits and pipelining fetches.

References