CVE-2026-33515 Overview
CVE-2026-33515 is an out-of-bounds read vulnerability in Squid, a widely-used caching proxy for the Web. Prior to version 7.5, improper input validation when handling Internet Cache Protocol (ICP) traffic allows a remote attacker to trigger memory reads beyond intended boundaries. This vulnerability can result in the disclosure of small amounts of memory that may contain sensitive information when the proxy responds with errors to malformed ICP requests.
The vulnerability is limited to Squid deployments that explicitly enable ICP support by configuring a non-zero icp_port value. Importantly, this issue cannot be mitigated through icp_access denial rules, making patching the primary remediation strategy.
Critical Impact
Remote attackers can extract sensitive memory contents from vulnerable Squid proxy servers by sending crafted ICP requests, potentially exposing configuration data, cached credentials, or other sensitive information in memory.
Affected Products
- Squid versions prior to 7.5
- Squid deployments with ICP support enabled (icp_port configured to non-zero value)
- All platforms running vulnerable Squid versions with ICP functionality
Discovery Timeline
- March 26, 2026 - CVE-2026-33515 published to NVD
- March 26, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33515
Vulnerability Analysis
This vulnerability stems from CWE-125 (Out-of-Bounds Read), where Squid fails to properly validate the size and boundaries of ICP packet data before processing. When handling ICP traffic, the proxy server does not adequately verify that URL data and packet sizes are within expected bounds, allowing memory to be read beyond the allocated buffer.
The flaw is particularly concerning because ICP is designed for inter-cache communication, and many organizations may have this protocol enabled for legitimate caching hierarchy purposes. The attack requires network access to the ICP port (typically UDP port 3130) but does not require authentication or user interaction, making it exploitable by any network-reachable attacker.
Root Cause
The root cause lies in insufficient validation of ICP packet sizes and URL extraction routines. The original implementation failed to ensure that URL data extracted from raw packet buffers was properly bounds-checked before being processed. The icpGetRequest function and related URL extraction logic did not validate that the packet contained sufficient data before reading, leading to potential out-of-bounds memory access.
Attack Vector
An attacker with network access to a vulnerable Squid server's ICP port can exploit this vulnerability by:
- Sending malformed ICP requests with invalid packet sizes or malformed URL data
- Triggering the out-of-bounds read condition when Squid attempts to process the invalid request
- Receiving error responses that may contain leaked memory contents
- Repeating the attack to potentially extract additional sensitive information
The attack is network-based and can be executed remotely without authentication, targeting the ICP UDP port configured on vulnerable Squid instances.
// Security patch - ICP URL extraction validation improvement
// Source: https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165
extern Comm::ConnectionPointer icpOutgoingConn;
extern Ip::Address theIcpPublicHostID;
+/// A URI extracted from the given raw packet buffer.
+/// On errors, details the problem and returns nil.
+const char *icpGetUrl(const Ip::Address &from, const char *, const icp_common_t &);
+
/// \ingroup ServerProtocolICPAPI
-HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from);
+HttpRequest *icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from);
/// \ingroup ServerProtocolICPAPI
bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request);
The patch introduces a new icpGetUrl function that properly validates packet buffer contents and returns nil on errors, preventing out-of-bounds reads. Additionally, parameter types were changed to const to improve memory safety.
Detection Methods for CVE-2026-33515
Indicators of Compromise
- Unusual volume of ICP traffic on UDP port 3130 or configured icp_port
- Malformed ICP packets with abnormal sizes in network captures
- ICP error responses containing unexpected data patterns
- Multiple ICP requests from external or unauthorized IP addresses
- Squid error logs indicating ICP parsing failures or memory access issues
Detection Strategies
- Deploy network intrusion detection rules to monitor for malformed ICP packets with size mismatches
- Implement traffic analysis to identify reconnaissance patterns targeting the ICP port
- Monitor Squid access logs for unusual ICP query patterns from untrusted sources
- Use memory monitoring tools to detect abnormal memory access patterns in the Squid process
Monitoring Recommendations
- Enable verbose ICP logging in Squid configuration for forensic analysis
- Configure firewall logging for all ICP port traffic to track potential exploitation attempts
- Implement SIEM rules to correlate ICP traffic anomalies with known attack signatures
- Establish baseline ICP traffic patterns to identify deviations indicative of exploitation
How to Mitigate CVE-2026-33515
Immediate Actions Required
- Upgrade Squid to version 7.5 or later immediately
- If immediate patching is not possible, disable ICP support by setting icp_port 0 in squid.conf
- Restrict network access to the ICP port using firewall rules to trusted cache peers only
- Audit current ICP configuration and determine if the feature is operationally required
- Review network logs for signs of prior exploitation attempts
Patch Information
The vulnerability is addressed in Squid version 7.5. The fix implements proper validation of ICP packet sizes and URL extraction to prevent out-of-bounds memory reads. The patch was developed through Pull Request #2220 and the specific code changes can be reviewed in commit 8138e909.
For detailed vulnerability information, refer to the GitHub Security Advisory GHSA-84p4-hcx7-jj7c and the Openwall OSS-Security Discussion.
Workarounds
- Disable ICP entirely by setting icp_port 0 in Squid configuration (note: icp_access rules do NOT mitigate this vulnerability)
- Implement network-level firewall rules to block external ICP traffic to the Squid server
- Isolate Squid proxies that require ICP in a segmented network with strict access controls
- Consider alternative cache peering mechanisms that do not rely on ICP if the feature can be deprecated
# Configuration example - Disable ICP in squid.conf
# This is the recommended workaround if patching is not immediately possible
# Disable ICP port (default is 3130)
icp_port 0
# Note: icp_access rules do NOT mitigate CVE-2026-33515
# The vulnerability is exploited before access control checks are performed
# If ICP is required, restrict access at the firewall level
# Example iptables rule to block external ICP traffic:
# iptables -A INPUT -p udp --dport 3130 -s ! 10.0.0.0/8 -j DROP
# Restart Squid to apply configuration changes
# systemctl restart squid
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
