CVE-2026-40396 Overview
CVE-2026-40396 is a denial of service vulnerability in Varnish Cache 9.0.0 that allows a malicious client to trigger a workspace overflow, resulting in a daemon panic and server crash. The vulnerability emerged from the port of the Varnish Enterprise non-blocking architecture for HTTP/2 and affects the HTTP/1 request pipelining operation.
Critical Impact
Attackers can crash the Varnish Cache server by exploiting the workspace overflow during HTTP/1 pipelining operations, causing service disruption for all users relying on the caching proxy.
Affected Products
- Varnish Cache 9.0.0
Discovery Timeline
- 2026-04-12 - CVE CVE-2026-40396 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-40396
Vulnerability Analysis
This vulnerability is classified as CWE-670 (Always-Incorrect Control Flow Implementation). The flaw exists in the HTTP/1 request pipelining mechanism within Varnish Cache 9.0.0. When code was ported from Varnish Enterprise's non-blocking architecture for HTTP/2, new code was required to adapt to a more recent workspace API that formalizes pipelining operations.
During the code merge process, conflicts arose due to differences between the Varnish Cache and Varnish Enterprise codebases, including partial support for trailers in Varnish Enterprise. The conflict resolution missed a critical code path that should configure pipelining to perform a complete workspace rollback. This oversight removes the guarantee that prefetched data will fit inside workspace_client during the transition between requests.
Root Cause
The root cause lies in incomplete merge conflict resolution during the port of Varnish Enterprise's non-blocking HTTP/2 architecture to Varnish Cache. A code path responsible for configuring pipelining to perform a complete workspace rollback was missed, causing the system to lose the guarantee that prefetched data would fit within the workspace_client buffer. When this buffer is exceeded, it triggers a workspace overflow condition that causes the Varnish daemon to panic.
Attack Vector
An attacker can exploit this vulnerability by sending an HTTP/1 request to the Varnish Cache server, then waiting for the session to release its worker thread (controlled by the timeout_linger setting). Before the session closes (controlled by timeout_idle), the attacker resumes traffic and sends multiple requests simultaneously to trigger a pipelining operation. This sequence causes the workspace overflow condition, resulting in a daemon panic that crashes the Varnish server.
The attack requires network access and specific timing to exploit the window between timeout_linger and timeout_idle, making exploitation complexity higher than typical denial of service attacks.
Detection Methods for CVE-2026-40396
Indicators of Compromise
- Unexpected Varnish daemon crashes or panics in system logs
- Multiple rapid HTTP/1 connections from single source IPs exhibiting unusual timing patterns
- Workspace overflow errors in Varnish log files
- Service interruptions correlating with pipelined HTTP/1 request patterns
Detection Strategies
- Monitor Varnish daemon logs for panic events and workspace overflow messages
- Implement anomaly detection for HTTP/1 connections that exhibit long pauses followed by rapid multi-request bursts
- Track connection patterns matching the timeout_linger to timeout_idle exploitation window
- Deploy SentinelOne Singularity to detect and alert on service crash events and suspicious network patterns
Monitoring Recommendations
- Configure alerting for Varnish service restarts or unexpected terminations
- Monitor network traffic for HTTP/1 pipelining abuse patterns
- Establish baseline connection timing metrics to identify anomalous behavior
- Enable detailed Varnish logging to capture workspace-related events
How to Mitigate CVE-2026-40396
Immediate Actions Required
- Upgrade Varnish Cache to version 9.0.1 or later immediately
- Review and potentially reduce timeout_linger values to narrow the exploitation window
- Consider implementing rate limiting on HTTP/1 connections from individual IP addresses
- Monitor Varnish service health and configure automatic restart mechanisms as a temporary measure
Patch Information
Varnish has released version 9.0.1 which addresses this vulnerability. The patch corrects the workspace rollback code path that was missed during the merge from Varnish Enterprise. Detailed information is available in the GitHub release notes and the GitHub Issue #15 tracking this vulnerability.
Workarounds
- Reduce the timeout_linger parameter to minimize the exploitation window between worker thread release and session closure
- Implement front-end rate limiting to restrict rapid successive connections from single sources
- Deploy a Web Application Firewall (WAF) to detect and block suspicious HTTP/1 pipelining patterns
- Consider temporarily disabling HTTP/1 pipelining if operationally feasible while awaiting patch deployment
# Configuration example - reduce timeout_linger to minimize exploitation window
# In your Varnish VCL or startup parameters:
# -p timeout_linger=0.1
# Verify current Varnish version
varnishd -V
# Restart Varnish after upgrade to 9.0.1
systemctl restart varnish
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
