CVE-2026-40395
Published: 12 April 2026
Summary
CVE-2026-40395 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Varnish-Software Varnish Enterprise. Its CVSS base score is 4.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the workspace overflow vulnerability by applying the vendor patch in Varnish Enterprise 6.0.16r12 or later that prevents headerplus.write_req0() overflows.
Protects against denial-of-service from resource exhaustion by implementing limits on HTTP header quantity and sizes to block workspace overflows in req0.
Validates incoming client request headers for excessive length or count before VCL processing to mitigate triggers for req0 workspace overflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated exploitation of a public-facing Varnish service via crafted requests to cause application crash, directly mapping to T1190 (Exploit Public-Facing Application) for initial access/impact and T1499.004 (Application or System Exploitation) for endpoint DoS.
NVD Description
Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable…
more
from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.
Deeper analysisAI
CVE-2026-40395 is a workspace overflow vulnerability in Varnish Enterprise versions before 6.0.16r12, specifically affecting shared VCL deployments that utilize the headerplus.write_req0() function from the vmod_headerplus module. This function updates the underlying req0 workspace, which is typically a read-only representation of the original client request derived into the writable req object in VCL. When an amended request contains too many header fields for the req0 workspace capacity, it triggers an overflow, leading to a daemon panic and server crash. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 4.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L).
Unauthenticated remote attackers, acting as malicious clients, can exploit this vulnerability over the network by crafting requests that result in an excessively large number of headers after VCL processing. This occurs in scenarios involving VCL label switches, such as those used by the Varnish Controller for shared VCL operations, where the refined req0 preparation overflows the workspace. Successful exploitation causes a denial of service through server panic and crash, though the high attack complexity (AC:H) and scoped impact limit broader effects.
The Varnish Software security advisory at https://docs.varnish-software.com/security/VEV00003/ details the issue, confirming that Varnish Enterprise 6.0.16r12 addresses the vulnerability by preventing the workspace overflow in headerplus.write_req0(). Security practitioners should upgrade to this version or later for affected deployments using shared VCL and vmod_headerplus.
Details
- CWE(s)