{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-12T19:21:09Z",
  "bugzilla" : {
    "description" : "Varnish: Varnish Enterprise: Denial of Service via workspace overflow",
    "id" : "2457698",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457698"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-770",
  "details" : [ "Varnish Enterprise before 6.0.16r12 allows a \"workspace overflow\" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.", "A flaw was found in Varnish Enterprise. A remote attacker can exploit this vulnerability by sending a request with an excessive number of header fields. This can cause a \"workspace overflow\" within the vmod_headerplus module, leading to a daemon panic and crashing the Varnish Enterprise server. This results in a Denial of Service (DoS), making the server unavailable to legitimate users." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "varnish",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "varnish:6/varnish",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "varnish",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40395\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40395\nhttps://docs.varnish-software.com/security/VEV00003/" ],
  "name" : "CVE-2026-40395",
  "csaw" : false
}