CVE-2026-33515 - Vulnerability Details

- Squid has issues in ICP message handling

Description

Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

Published: 2026-03-26

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Squid, the web caching proxy, contains an out‑of‑bounds read in its ICP message handling. When a client sends a malformed ICP request, Squid copies a small amount of memory into an error response before it has validated the input. The copied data may include confidential information, such as credentials or configuration snippets. The flaw is a classic buffer over‑read (CWE‑125) caused by improper input validation (CWE‑1289).

Affected Systems

The issue affects Squid implementations that enable ICP support – that is, when the configuration parameter `icp_port` is set to a non‑zero value. All Squid releases prior to version 7.5 are vulnerable, including the widely deployed 7.0, 7.2 and early 7.4 series. Systems that have disabled ICP or left the default port unchanged are not impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS scoring shows an exploitation likelihood of less than 1 %, and the vulnerability is not listed in the CISA KEV catalog. Exploitation can be carried out from any remote host that can reach the ICP port, by sending specially crafted requests that trigger the out‑of‑bounds read. The result is information disclosure; there is no evidence of code execution or other escalation. The recommended mitigation is to upgrade to Squid 7.5 or later, or to disable ICP if it is not required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

squid-cache

squid

affected

Version	Status	Constraints
`< 7.5`	affected	—

Configuration 1 [-]

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Squid-cache

Squid

100%

Version	Status	Scheme	Platform
`[0,7.5)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Squid to version 7.5 or newer which contains the patch for the ICP over‑read bug.

Generated by OpenCVE AI on March 31, 2026 at 05:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8157-1	Squid vulnerabilities

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00131.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/03/25/4
https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165
https://github.com/squid-cache/squid/pull/2220
https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637
https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c
https://nvd.nist.gov/vuln/detail/CVE-2026-33515
https://www.cve.org/CVERecord?id=CVE-2026-33515

History

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:squid-cache:squid::::::::
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Thu, 26 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-33515 https://www.cve.org/CVERecord?id=CVE-2026-33515
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` threat_severity `Moderate`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Squid-cache Squid-cache squid
Vendors & Products		Squid-cache Squid-cache squid

Thu, 26 Mar 2026 01:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/25/4

Thu, 26 Mar 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Title		Squid has issues in ICP message handling
Weaknesses		CWE-125 CWE-1289
References		https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165 https://github.com/squid-cache/squid/pull/2220 https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637 https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N'}`

Subscriptions

Squid-cache Squid

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-26T00:13:51.127Z

Updated: 2026-03-26T14:19:39.660Z

Reserved: 2026-03-20T16:59:08.891Z

Link: CVE-2026-33515

Vulnrichment

Updated: 2026-03-26T00:24:56.505Z

NVD

Status : Analyzed

Published: 2026-03-26T01:16:27.690

Modified: 2026-03-31T01:22:04.203

Link: CVE-2026-33515

Redhat

Severity : Moderate

Publid Date: 2026-03-26T00:13:51Z

Links: CVE-2026-33515 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-31T20:09:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object