Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker

Description

Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

Affected Products

Vendor	Product	Versions
Squid	Squid	3.5.28, 4.17, 5.9, 6.14, 7.4, < 7.5

References

Related News (2 articles)

Tier A

Microsoft MSRC1h ago

CVE-2026-33515 Squid has issues in ICP message handling

→ No new info (linked only)

Tier C

oss-security2d ago

[ADVISORY] SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-125, CWE-1289

Published3/26/2026

Last enriched1h agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Version History

Last enriched 1h ago

v3Tier C1h ago

Updated severity from NONE to HIGH.

severity

via oss-security

v2Tier C9h ago

Added vendor and product information, updated affected versions, changed severity to HIGH, and marked the vulnerability as actively exploited with an exploit available.

vendorproductaffectedVersionspatchAvailable

via oss-security

v111h ago

Initial creation

Description

Vendor

Product

Versions

Squid

3.5.28, 4.17, 5.9, 6.14, 7.4, < 7.5