CVE-2026-33515
Squid has issues in ICP message handling
In short
Squid proxy can leak small amounts of memory when processing certain malformed ICP network messages, potentially exposing sensitive data. This only affects systems that have ICP support explicitly enabled.
Technical detail
Out-of-bounds read in Squid's ICP message handler (CWE-125, CWE-1289) caused by improper input validation. Remote attacker can trigger memory disclosure by sending crafted ICP requests to systems with non-zero icp_port configuration; impact is limited to small memory leaks but may contain sensitive information. icp_access rules do not mitigate this vulnerability.
Summary generated and translated by AI from the official description.
Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N
Affected products
squid-cache · squidWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165https://github.com/squid-cache/squid/pull/2220https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7chttp://www.openwall.com/lists/oss-security/2026/03/25/4