CVE-2026-33515 — Out-of-bounds Read in Squid

CWE-125 — Out-of-bounds Read CWE-1289 — Improper Validation of Unsafe Equivalence in Input8 documents8 sources

Severity

6.9MEDIUMNVD

EPSS

0.2%

top 63.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid-cache Squid Squid

Timeline

PublishedMar 26

Latest updateApr 8

Description

Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP q…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5squid-cache/squid< 7.5

▶NVDsquid-cache/squid< 7.5

▶Debiansquid/squid< 7.5-1

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

Squid has issues in ICP message handling↗2026-03-26

▶

OSV

CVE-2026-33515: Squid is a caching proxy for the Web↗2026-03-26

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2026-04-08

▶

Red Hat

Squid: Squid: Information disclosure via improper input validation in ICP traffic↗2026-03-26

▶

Microsoft

Squid has issues in ICP message handling↗2026-03-10

▶

Debian

CVE-2026-33515: squid - Squid is a caching proxy for the Web. Prior to version 7.5, due to improper inpu...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33515 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶