CVE-2026-40394: Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (da

Description

A vulnerability, which was classified as problematic, was found in Varnish Cache up to 9.0.0. The affected element is an unknown function. Such manipulation leads to incorrect control flow. This vulnerability is traded as CVE-2026-40394. The attack may be launched remotely.

Affected Products

Vendor	Product	Versions
varnish-	varnish cache	9.0.0

References

https://docs.varnish-software.com/security/VEV00002/

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-40394 | Varnish Cache up to 9.0.0 control flow

→ No new info (linked only)

CVSS 3.14.0 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

9.0.1

CWECWE-670

PublishedApr 12, 2026

Last enriched4h agov2

Trending Score23

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated description with new details about the vulnerability and confirmed no exploit is available.

description

via VulDB

v15h ago

Initial creation

CVE-2026-40394: Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (da

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History