Impact
Squid, the popular web caching proxy, contains a buffer over‑read flaw in its ICP message handling. When a remote host sends a malformed ICP request, Squid copies a small fragment of memory into an error response before the input has been validated, potentially exposing sensitive data such as credentials or configuration snippets. The weakness is a classic out‑of‑bounds read (CWE‑125) caused by improper input validation (CWE‑1289).
Affected Systems
The vulnerability applies to all versions of Squid prior to version 7.5 that have ICP support enabled, which is determined by configuring a non‑zero value for the icp_port parameter. The vendor identified in the CNA list is squid-cache:squid. Systems that have disabled ICP or left the default port unchanged are not affected.
Risk and Exploitability
The CVSS score of 6.9 indicates a moderate severity, and the EPSS score of 1 % suggests a low likelihood of exploitation at present; the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack can be carried out from any remote host that can reach the ICP port by sending specially crafted requests that trigger the out‑of‑bounds read, leading to information disclosure but no evidence of code execution or privilege escalation.
OpenCVE Enrichment
Debian DSA
Ubuntu USN