CVE-2026-40395 Overview
CVE-2026-40395 is a Denial of Service vulnerability in Varnish Enterprise before version 6.0.16r12 that allows malicious clients to trigger a workspace overflow, resulting in a daemon panic and server crash. The vulnerability exists in the headerplus.write_req0() function from vmod_headerplus, which updates the underlying req0 object. When an amended request contains too many header fields for req0, a workspace overflow occurs, triggering a panic that crashes the Varnish Enterprise server.
Critical Impact
Malicious clients can remotely crash Varnish Enterprise servers by sending requests with excessive header fields, causing service disruption for shared VCL deployments including those managed by Varnish Controller.
Affected Products
- Varnish Enterprise versions prior to 6.0.16r12
- Shared VCL deployments using vmod_headerplus
- Varnish Controller managed environments
Discovery Timeline
- April 12, 2026 - CVE-2026-40395 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40395
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue lies in how the headerplus.write_req0() function handles header field transfers between request objects in VCL processing.
In Varnish Enterprise, req0 represents the original read-only request from which the mutable req object is derived. The headerplus.write_req0() function allows VCL code to write an amended request back to req0, which is particularly useful when preparing a refined request before switching to a different VCL using the return (vcl(<label>)) action.
The vulnerability manifests when the amended req object contains more header fields than the workspace allocated for req0 can accommodate. Without proper bounds checking on the number of header fields, the function attempts to write beyond the allocated workspace memory, triggering a workspace overflow condition. This overflow causes the Varnish Enterprise daemon to panic and crash, effectively denying service to all clients.
Root Cause
The root cause is insufficient validation of header field counts before writing to the req0 workspace. The headerplus.write_req0() function fails to verify that the destination workspace has adequate capacity for the header fields being transferred from the amended request. This lack of resource allocation limits allows an attacker-controlled request with excessive headers to exhaust the workspace memory.
Attack Vector
An attacker can exploit this vulnerability by crafting HTTP requests with a large number of header fields targeting a Varnish Enterprise server that uses shared VCL with the vmod_headerplus module. The attack requires network access to the server but no authentication or user interaction. The attack flow involves:
- Attacker sends an HTTP request with an excessive number of header fields to the Varnish Enterprise server
- The VCL processing amends the request and calls headerplus.write_req0() to prepare for VCL switching
- The function attempts to write the oversized header collection to the req0 workspace
- The workspace overflow triggers a panic condition
- The Varnish Enterprise daemon crashes, causing service disruption
For detailed technical information, refer to the Varnish Security Advisory VEV00003.
Detection Methods for CVE-2026-40395
Indicators of Compromise
- Unexpected Varnish Enterprise daemon crashes with panic messages related to workspace overflow
- Log entries indicating workspace exhaustion or memory allocation failures in vmod_headerplus
- Spike in HTTP requests containing abnormally high numbers of header fields
- Service interruptions correlating with specific client request patterns
Detection Strategies
- Monitor Varnish Enterprise logs for panic events mentioning workspace overflow or headerplus.write_req0()
- Implement request header count monitoring at the load balancer or WAF level to detect anomalous requests
- Deploy anomaly detection for HTTP requests with header counts exceeding typical application thresholds
- Configure alerting on Varnish daemon process restarts or crashes
Monitoring Recommendations
- Set up real-time monitoring for Varnish Enterprise process health and automatic restart events
- Implement log aggregation to correlate crash events with incoming request patterns
- Track header field counts per request to establish baselines and detect outliers
- Monitor system metrics for sudden drops in Varnish connection handling capacity
How to Mitigate CVE-2026-40395
Immediate Actions Required
- Upgrade Varnish Enterprise to version 6.0.16r12 or later immediately
- If upgrade is not immediately possible, consider temporarily disabling shared VCL functionality
- Implement upstream request filtering to limit maximum header field counts
- Review VCL configurations using headerplus.write_req0() for potential exposure
Patch Information
Varnish Software has addressed this vulnerability in Varnish Enterprise version 6.0.16r12. Organizations running affected versions should upgrade as soon as possible. For detailed patch information and upgrade instructions, consult the Varnish Security Advisory VEV00003.
Workarounds
- Configure upstream proxies or load balancers to reject requests exceeding a reasonable header count threshold
- Implement VCL rules to inspect and limit header counts before processing with vmod_headerplus
- Consider isolating shared VCL deployments until patches can be applied
- Deploy WAF rules to filter requests with excessive header fields
# Example: Limit request headers at nginx upstream proxy
# Add to nginx.conf server or location block
large_client_header_buffers 4 8k;
# Monitor Varnish process health
systemctl status varnish --no-pager
journalctl -u varnish -f --grep="panic\|workspace"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
