Primary

Context

Varnish Cache and Varnish Enterprise Workspace Overflow Denial-of-Service Vulnerability in HTTP/2 Sessions

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Varnish Cache versions 9 prior to 9.0.1 and Varnish Enterprise versions 6.0.14r1 prior to 6.0.16r10. This vulnerability allows for a 'workspace overflow' denial-of-service condition, causing the daemon to panic, when certain amounts of prefetched data are handled during the upgrade from an HTTP/1 to an HTTP/2 session. The issue arises because the buffer allocation for the upgrade splits the original workspace, and depending on the amount of prefetched data, the next fetch could pipeline operations that exhaust the available workspace.

Impact

Exploitation of this vulnerability leads to a daemon panic, causing a denial-of-service condition on the affected system.

Remediation

Users are advised to upgrade to Varnish Cache 9.0.1 or Varnish Enterprise 6.0.16r11. After upgrading, Varnish should be restarted to apply the changes.

Added: Apr 12, 2026, 8:20 PM

Updated: Apr 12, 2026, 8:20 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

5.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

5.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Varnish Cache and Varnish Enterprise Workspace Overflow Denial-of-Service Vulnerability in HTTP/2 Sessions

Vulnerability

Impact

Remediation

Affected Products

Varnish Cache

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating