cbcvebase.
CVE-2019-12526
published 2019-11-26

CVE-2019-12526: An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
20.25%
97.1th percentile
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.

Affected

17 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiansquid< squid 4.9-1 (bookworm)squid 4.9-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
opensuseleap
squid-cachesquid3.0 – 3.5.28
squid-cachesquid4.0 – 4.8
squidsquid>= 0 < 4.9-14.9-1
squidsquid>= 0 < 4.9-14.9-1
squidsquid>= 0 < 4.9-14.9-1
squidsquid>= 0 < 4.9-14.9-1

Detection & IOCsextracted from sources · hover to see the quote

port3128
commandGET urn::@:8080/ HTTP/1.1
  • Detect URN protocol requests being proxied through Squid — a GET request with a URN scheme (urn:) is the attack vector for this heap overflow
  • Monitor Squid for unexpected child process crashes and PID changes, which indicate successful exploitation of the URN heap overflow
  • The vulnerable code path is triggered via UrnState::operator new → urnStart → FwdState::Start; look for urn.cc stack frames in crash dumps
  • The overflow writes into heap memory adjacent to a 4184-byte UrnState buffer; ASan reports heap-buffer-overflow WRITE at offset 0 bytes past the region end
  • ·URN requests are not proxied by default; the vulnerability is only reachable if the Squid configuration explicitly permits the URN protocol (e.g., 'acl Safe_ports port 0'). Deployments without such ACLs are not directly exposed.
  • ·Upstream mitigation: add ACL rules to deny the urn: protocol for all clients in squid.conf to block the attack vector without patching.
  • ·On Red Hat products, Squid is confined with SELinux, which reduces (but does not eliminate) the risk of arbitrary code execution even if the overflow is triggered.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.