Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker

Description

Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

Affected Products

Vendor	Product	Versions
Squid	Squid	3.5.28, 4.17, 5.9, 6.14, 7.4, < 7.5

References

Related News (1 articles)

Tier A

Microsoft MSRC-1091s ago

CVE-2026-33515 Squid has issues in ICP message handling

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-125, CWE-1289

Published3/26/2026

Last enriched7h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Version History

Last enriched 7h ago

v2Tier C7h ago

Added vendor and product information, updated affected versions, changed severity to HIGH, and marked the vulnerability as actively exploited with an exploit available.

vendorproductaffectedVersionspatchAvailable

via oss-security

v19h ago

Initial creation

Description

Vendor

Product

Versions

Squid

3.5.28, 4.17, 5.9, 6.14, 7.4, < 7.5