HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-40394 — Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "w...

·Source: NIST NVD

Updated:

Executive Summary

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames

Analysis

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace. CVSS Score: 4. Published: 2026-04-12T20:16:17.857.

Indicators of Compromise (1)

CVE (1)
CVE-2026-40394
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on Apr 12, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerabilityPOC

Microsoft’s incident response is getting a failing grade from researchers

Microsoft is ticking off a lot of researchers this week by claiming that those who dump proof-of-concept exploits for vulnerabilities they have not responsibly disclosed are enabling criminal activity, and that Microsoft will track them and bring cases against them. Whoever advised them to issue that statement may want to walk it back. Kevin Beaumont,... Source

DataBreaches.net
HIGHVulnerability

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the

CVE-2026-0257
The Hacker News
MEDIUMVulnerability

23andMe Failed to Stop Months-Long Hack, State Alleges

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/23andme-failed-to-stop-months-long-hack-state-alleges-image_small-2-a-31816.jpg" align=right hspace=4><b>Calif. Lawsuit: Genetics Testing Firm Missed Red Flags Before Massive 2023 Breach</b><br>Hackers in 2023 went undetected for five months in genetics testing firm 23andMe's IT systems, despite multiple unheeded warning signs, al

Bank Info Security