CVE-2026-33515

EUVD-2026-16067
Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
Affected Products (NVD)
VendorProductVersion
squid-cachesquid
𝑥
< 7.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
squid
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
7.5-1
fixed
sid
7.5-1
fixed
trixie
no-dsa
trixie (security)
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
squid
focal
needs-triage
jammy
Fixed 5.9-0ubuntu0.22.04.5
released
noble
Fixed 6.14-0ubuntu0.24.04.2
released
questing
Fixed 6.14-0ubuntu0.25.10.2
released
resolute
not-affected
squid3
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
resolute
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165
https://github.com/squid-cache/squid/pull/2220
https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637
https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c
http://www.openwall.com/lists/oss-security/2026/03/25/4