Vulnerability Description
Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Squid-Cache | Squid | < 7.5 |
Related Weaknesses (CWE)
References
- https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912Patch
- https://github.com/squid-cache/squid/pull/2220Issue Tracking
- https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637Issue Tracking
- https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7cVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/03/25/4Third Party AdvisoryMailing List
FAQ
What is CVE-2026-33515?
CVE-2026-33515 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker...
How severe is CVE-2026-33515?
CVE-2026-33515 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33515?
Check the references section above for vendor advisories and patch information. Affected products include: Squid-Cache Squid.