cvedb.io
CVE-2026-40396
MEDIUM · CVSS 4
EPSS exploitation probability: 0%
Published 2026-04-12T20:16:19.057 · Last modified 2026-06-17T10:45:14.403

Summary

Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The con

Affected products

vinyl-cache — vinyl_cache

Does this affect you?

Add your gear to cvedb and we'll alert you only when vinyl-cache ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.