CVE-2026-40394
Published: 12 April 2026
Summary
CVE-2026-40394 is a medium-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Varnish-Software Varnish Enterprise. Its CVSS base score is 4.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely flaw remediation through patching, directly addressing the workspace overflow vulnerability fixed in Varnish Cache 9.0.1 and Enterprise 6.0.16r11.
Implements denial-of-service protections to counter daemon panic from workspace exhaustion during HTTP/2 session upgrades with prefetched data.
Protects critical resources from unauthorized depletion, mitigating workspace overflow triggered by buffer allocation splits and pipelining fetches.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote DoS flaw in a public-facing web cache/proxy (Varnish) that causes daemon panic via workspace exhaustion during HTTP/2 upgrades; this directly maps to exploiting a software vulnerability to crash an application and deny availability (T1499.004).
NVD Description
Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading…
more
to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.
Deeper analysisAI
CVE-2026-40394, published on 2026-04-12, is a workspace overflow vulnerability affecting Varnish Cache versions 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11. The flaw enables a denial of service (daemon panic) when processing certain amounts of prefetched data during HTTP/2 session upgrades. Specifically, an HTTP/2 session begins with a speculative HTTP/1 transport, which is repurposed as stream zero upon upgrade. This triggers a buffer allocation to reserve space for client frames, splitting the original workspace and potentially causing subsequent pipelining fetches to exhaust available workspace.
Unauthenticated remote attackers with network access (AV:N) can exploit this vulnerability, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Exploitation leads to a low-impact availability disruption (A:L) via daemon panic, with no confidentiality or integrity effects (C:N/I:N), but a changed scope (S:C), resulting in a CVSS v3.1 base score of 4.0. The issue stems from CWE-670 (Always-Incorrect Control Flow Implementation).
The Varnish Software security advisory (https://docs.varnish-software.com/security/VEV00002/) addresses this vulnerability, recommending upgrades to Varnish Cache 9.0.1 or Varnish Enterprise 6.0.16r11 as the primary mitigation.
Details
- CWE(s)