CVE-2026-33515
published 2026-03-26CVE-2026-33515: Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP…
PriorityP339medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
1.04%
59.7th percentile
Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 7.5-1 (forky) | squid 7.5-1 (forky) |
| msrc | azl3_squid_6.13-3_on_azure_linux_3.0 | — | — |
| squid-cache | squid | < 7.5 | 7.5 |
| squid | squid | >= 0 < 7.5-1 | 7.5-1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2026-04-08
CVE-2026-32748 Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
It was discovered that Squid incorrectly handled certain ICP traffic. In
environments where ICP support is enabled, a remote attacker could use this
issue to cause Squid to crash, resulting in a denial of service, or obtain
small amounts of sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Squid: Squid: Information disclosure via improper input validation in ICP traffic
vendor_redhat·2026-03-26·CVSS 6.9
CVE-2026-33515 [MEDIUM] CWE-125 Squid: Squid: Information disclosure via improper input validation in ICP traffic
Squid: Squid: Information disclosure via improper input validation in ICP traffic
Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
A flaw was found in Squid, a caching proxy for the Web. Due to improper input validation, Squid is vulnerable to an out-of-bounds read when handling Inte
Microsoft
Squid has issues in ICP message handling
vendor_msrc·2026-03-10·CVSS 5.3
CVE-2026-33515 [MEDIUM] CWE-125 Squid has issues in ICP message handling
Squid has issues in ICP message handling
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Debian
CVE-2026-33515: squid - Squid is a caching proxy for the Web. Prior to version 7.5, due to improper inpu...
vendor_debian·2026·CVSS 6.9
CVE-2026-33515 [MEDIUM] CVE-2026-33515: squid - Squid is a caching proxy for the Web. Prior to version 7.5, due to improper inpu...
Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 7.5-1)
sid: resolved (fixed in 7.5-1)
trixie: open
OSV
CVE-2026-33515: Squid is a caching proxy for the Web
osv·2026-03-26·CVSS 6.9
CVE-2026-33515 [MEDIUM] CVE-2026-33515: Squid is a caching proxy for the Web
Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33515 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33515 [CRITICAL] CVE-2026-33515 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33515 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 6.9
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
squid
squid34
Sources
NVD
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 26, 2026
Echo Severity MEDIUM No Fix Added at: Mar 26, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 02, 2026
Nix Severity MEDIUM Has Fix Added at:
Wiz
CVE-2026-33526 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33526 [CRITICAL] CVE-2026-33526 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33526 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 9.2
Score
Published March 26, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 82.3
Exploitation Probability (EPSS) 1.7
Affected packages and libraries
squid:4::squid
squid
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Apr 02, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 26, 2026
Echo Severity HIGH No Fix Adde
Wiz
CVE-2026-32748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-32748 [CRITICAL] CVE-2026-32748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32748 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 8.7
Score
Published March 26, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 79.5
Exploitation Probability (EPSS) 1.3
Affected packages and libraries
squid:4::squid
squid
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Apr 02, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 26, 2026
Echo Severity HIGH No Fix Added at
https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165https://github.com/squid-cache/squid/pull/2220https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7chttp://www.openwall.com/lists/oss-security/2026/03/25/4
2026-03-26
Published