{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33515", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:59:08.891Z", "datePublished": "2026-03-26T00:13:51.127Z", "dateUpdated": "2026-03-26T14:19:39.660Z"}, "containers": {"cna": {"title": "Squid has issues in ICP message handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1289", "lang": "en", "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c"}, {"name": "https://github.com/squid-cache/squid/pull/2220", "tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/pull/2220"}, {"name": "https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637", "tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637"}, {"name": "https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165", "tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165"}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"version": "< 7.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:13:51.127Z"}, "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch."}], "source": {"advisory": "GHSA-84p4-hcx7-jj7c", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/25/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-26T00:24:56.505Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:19:33.291751Z", "id": "CVE-2026-33515", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:19:39.660Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/25/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-26T00:24:56.505Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:19:33.291751Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:19:36.281Z"}}], "cna": {"title": "Squid has issues in ICP message handling", "source": {"advisory": "GHSA-84p4-hcx7-jj7c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"status": "affected", "version": "< 7.5"}]}], "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c", "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/squid-cache/squid/pull/2220", "name": "https://github.com/squid-cache/squid/pull/2220", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637", "name": "https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165", "name": "https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1289", "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:13:51.127Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33515", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:19:39.660Z", "dateReserved": "2026-03-20T16:59:08.891Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T00:13:51.127Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch."}], "id": "CVE-2026-33515", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T01:16:27.690", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165"}, {"source": "security-advisories@github.com", "url": "https://github.com/squid-cache/squid/pull/2220"}, {"source": "security-advisories@github.com", "url": "https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637"}, {"source": "security-advisories@github.com", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/25/4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-1289"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Squid: Squid: Information disclosure via improper input validation in ICP traffic", "id": "2451581", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451581"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in Squid, a caching proxy for the Web. Due to improper input validation, Squid is vulnerable to an out-of-bounds read when handling Internet Cache Protocol (ICP) traffic. A remote attacker can exploit this by sending invalid ICP requests, potentially receiving small amounts of memory containing sensitive information. This vulnerability is limited to Squid deployments that have explicitly enabled ICP support."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, ensure that Internet Cache Protocol (ICP) support is disabled in Squid. This can be achieved by setting `icp_port` to `0` or commenting out the `icp_port` directive in the `squid.conf` configuration file. After modifying the configuration, the Squid service must be restarted for the changes to take effect."}, "name": "CVE-2026-33515", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "squid:4/squid", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T00:13:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33515\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33515\nhttp://www.openwall.com/lists/oss-security/2026/03/25/4\nhttps://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165\nhttps://github.com/squid-cache/squid/pull/2220\nhttps://github.com/squid-cache/squid/pull/2220#discussion_r2727683637\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c"], "statement": "This flaw in Squid has Moderate impact. It is only exploitable in Red Hat products if Squid is configured to explicitly enable ICP support (i.e., `icp_port` is set to a non-zero value), which is not the default configuration. This issue cannot be mitigated by `icp_access` rules.", "threat_severity": "Moderate"}