CVE-2026-33515

6.5 MEDIUM
Published: March 26, 2026 Modified: March 31, 2026
View on NVD

Description

Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165
Source: security-advisories@github.com
Patch
https://github.com/squid-cache/squid/pull/2220
Source: security-advisories@github.com
Issue Tracking
https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637
Source: security-advisories@github.com
Issue Tracking
https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c
Source: security-advisories@github.com
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/03/25/4
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory Mailing List

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.5 / 10.0
EPSS (Exploit Probability)
0.2%
36th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-125 CWE-1289

Affected Vendors

squid-cache

Related CVEs

CVE-2026-6416 2.7
CVE-2026-6408 2.7
CVE-2026-6392 2.7
CVE-2026-6386 N/A
CVE-2026-5398 N/A