Skip to main content

Squid EUVD-2026-16067

| CVE-2026-33515 MEDIUM
Out-of-bounds Read (CWE-125)
2026-03-26 GitHub_M
Buffer Overflow Information Disclosure Squid
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ubuntu
MEDIUM
qualitative
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 01:00 euvd
EUVD-2026-16067
Analysis Generated
Mar 26, 2026 - 01:00 vuln.today
CVE Published
Mar 26, 2026 - 00:13 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero icp_port). This problem cannot be mitigated by denying ICP queries using icp_access rules. Version 7.5 contains a patch.

AnalysisAI

Squid prior to version 7.5 contains an out-of-bounds read vulnerability in ICP (Internet Cache Protocol) traffic handling due to improper input validation, classified as CWE-125. Remote attackers can exploit this to leak small amounts of process memory potentially containing sensitive information by sending malformed ICP requests to deployments with explicitly enabled ICP support (non-zero icp_port configuration). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment While formal CVSS and EPSS scores are not available for this CVE, the risk assessment can be synthesized from available signals: The attack vector is network-based and requires no authentication, but exploitation is limited to Squid instances with ICP explicitly enabled (reducing overall exposure). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a Squid proxy with ICP enabled (via port scanning for UDP 3130 or configuration reconnaissance) and crafts a malformed ICP request with invalid parameters that bypass input validation checks. When the vulnerable Squid instance processes this crafted request and attempts to generate an error response, the out-of-bounds read occurs, allowing the attacker to extract small fragments of Squid process memory. …
Remediation The primary remediation is to upgrade Squid to version 7.5 or later, which contains the patch for the out-of-bounds read vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Ubuntu

Priority: Medium
squid
Release Status Version
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream needs-triage -
squid3
Release Status Version
xenial needs-triage -
bionic needs-triage -
jammy DNE -
noble DNE -
questing DNE -
upstream needs-triage -

Debian

squid
Release Status Fixed Version Urgency
bullseye vulnerable 4.13-10+deb11u3 -
bullseye (security) vulnerable 4.13-10+deb11u6 -
bookworm vulnerable 5.7-2+deb12u5 -
bookworm (security) vulnerable 5.7-2+deb12u4 -
trixie, trixie (security) vulnerable 6.13-2+deb13u1 -
forky vulnerable 7.4-1 -
sid fixed 7.5-1 -
(unstable) fixed 7.5-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

EUVD-2026-16067 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy