cvedb.io
CVE-2026-40395
MEDIUM · CVSS 4
EPSS exploitation probability: 0%
Published 2026-04-12T20:16:18.893 · Last modified 2026-06-17T10:45:14.283

Summary

Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by maliciou

Affected products

varnish-software — varnish_enterprise

Does this affect you?

Add your gear to cvedb and we'll alert you only when varnish-software ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.