MEDIUM🇬🇧 English

CVE-2026-40395

CVSS 4.0v3.1pub. 2026-04-12upd. 2026-04-17

Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
  • Varnish Software Varnish Enterprise

    APP
    Varnish-Software
    6.0.16≤ 6.0.15
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
DoS
CWE
Referencje

Powiązane podatności

CVE-2026-40394MEDIUM4.0ten sam produkt

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of s...

CVE-2026-34475MEDIUM5.4ten sam produkt

Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mi...

CVE-2025-30346MEDIUM5.4ten sam produkt

Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 request...

CVE-2025-30347MEDIUM4.0ten sam produkt

Varnish Enterprise before 6.0.13r13 allows remote attackers to obtain sensitive information via an out-of-boun...

CVE-2023-41104MEDIUM6.5ten sam produkt

libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory ...