cbcvebase.
CVE-2011-4096
published 2011-11-17

CVE-2011-4096: The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via…

PriorityP333medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
38.32%
98.4th percentile
The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record.

Affected

61 ranges· showing 25
VendorProductVersion rangeFixed in
squid-cachesquid<= 3.1.15
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered by a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record — monitor for such chained CNAME→CNAME→empty-A DNS responses directed at Squid proxy instances.
  • The vulnerable code path is in the idnsGrokReply function within src/dns_internal.cc of Squid — focus process-level monitoring and crash analysis on this function in affected Squid versions (before 3.1.16).
  • The flaw was introduced with IPv6 support in Squid 3.1 (changes to idnsGrokReply); Squid instances without IPv6 support (e.g., RHEL 4/5 builds) are not affected — scope detection to Squid 3.1.x builds with IPv6 enabled.
  • The upstream patch is available at the Launchpad Bazaar repository revision 10384 for the 3.1 branch — use this to identify the exact code delta for writing targeted detection rules or confirming patch status.
  • ·Only Squid 3.1.x builds with IPv6 support are affected; Squid as shipped with RHEL 4 and RHEL 5 (which lacked IPv6 support) are explicitly not affected.
  • ·The vulnerable merge logic (for AAAA and A result sets) is absent in RHEL 4/5 squid builds, confirming those are safe; detection/patching efforts should focus on Squid 3.1.x with IPv6 enabled.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.