7.5
CVE-2026-40394
- EPSS 0.04%
- Veröffentlicht 12.04.2026 19:17:34
- Zuletzt bearbeitet 17.04.2026 14:35:23
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch National Vulnerability Database (NVD)
Varnish-software ≫ Varnish Enterprise Version <= 6.0.15
Varnish-software ≫ Varnish Enterprise Version6.0.16 Updater1
Varnish-software ≫ Varnish Enterprise Version6.0.16 Updater10
Varnish-software ≫ Varnish Enterprise Version6.0.16 Updater2
Varnish-software ≫ Varnish Enterprise Version6.0.16 Updater3
Varnish-software ≫ Varnish Enterprise Version6.0.16 Updater4
Varnish-software ≫ Varnish Enterprise Version6.0.16 Updater5
Varnish-software ≫ Varnish Enterprise Version6.0.16 Updater6
Varnish-software ≫ Varnish Enterprise Version6.0.16 Updater7
Varnish-software ≫ Varnish Enterprise Version6.0.16 Updater8
Varnish-software ≫ Varnish Enterprise Version6.0.16 Updater9
Vinyl-cache ≫ Vinyl Cache Version9.0.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.117 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| cve@mitre.org | 4 | 2.2 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
|
CWE-670 Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.