Squid Proxy Patches Squidbleed Memory Leak and Cache Digest Buffer Overflow
Squid maintainers released Squid 7.6 to fix two severe vulnerabilities, including "Squidbleed" tracked as CVE-2026-47729, a heap out-of-bounds read in the proxy's FTP gateway code. The flaw can be triggered when Squid parses a malformed FTP LIST response from an attacker-controlled or misbehaving FTP server, causing memory disclosure from reused 4 KB buffers that may contain stale data from unrelated sessions, including HTTP Authorization headers. Reports said the issue affects Squid's default configuration because FTP support is enabled by default and TCP port 21 is permitted by the default Safe_ports ACL, although exploitation depends on the proxy being able to reach the hostile FTP server and is most relevant to cleartext HTTP or TLS-terminating proxy deployments.
The update also fixes CVE-2026-50012, a heap-based buffer overflow caused by malicious replies to cache_digest requests from a trusted server in builds compiled with --enable-cache-digests. That bug can crash Squid and may allow arbitrary code execution. The FTP parsing bug was patched by adding a null-terminator check before strchr, and administrators were urged to upgrade immediately to Squid 7.6; guidance also recommended disabling FTP support entirely unless it is explicitly required.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Calif.io publicly discloses Squidbleed vulnerability
Researchers at Calif.io publicly disclosed Squidbleed (CVE-2026-47729), a heap over-read in Squid's FTP directory-listing parser that can leak cleartext HTTP requests, credentials, and session tokens between proxy users. The disclosure noted public proof-of-concept code was available and said no in-the-wild exploitation had been reported at the time.
Fixes merged into supported Squid branches
Fixes for CVE-2026-47729 were merged into supported Squid branches during April and May 2026. The patch added a check for the null terminator before calling strchr in the vulnerable parsing logic.
Squid maintainers correct CVE-2026-47729 fix release to version 7.7
In an oss-sec thread, Amos Jeffries corrected an earlier statement that Squid 7.6 fixed CVE-2026-47729, clarifying that the fix for that vulnerability would instead ship in Squid 7.7. The same discussion noted Squid 7.6 contained the fix for CVE-2026-50012 and included additional technical explanation of Squidbleed's root cause.
Squid 7.6 released with vulnerability fixes
Squid released version 7.6 with patches for two severe vulnerabilities: CVE-2026-47729 and CVE-2026-50012. The update addressed an FTP gateway out-of-bounds read and a heap-based buffer overflow in cache_digest handling.
Squidbleed vulnerability reported to Squid maintainers
The initial report for CVE-2026-47729, later dubbed Squidbleed, was submitted to the Squid project. The flaw affects Squid's FTP directory listing parsing and can cause out-of-bounds reads and memory disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
29-Year-Old 'Squidbleed' Vulnerability Discovered With the Aid of Claude Mythos Preview
cybersecuritynews.com
Open source29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests
thehackernews.com
Open sourceDecades-Old Squid Proxy Flaw 'Squidbleed' Can Expose User Data - SecurityWeek
securityweek.com
Open sourceSquidbleed CVE-2026-47729: Inside Squid's 29-Year-Old Bug | The CyberSec Guru
thecybersecguru.com
Open sourceFix Squid Proxy Vulnerabilities in New Update
securityonline.info
Open sourcepublications/MADBugs/squidbleed at main · califio/publications · GitHub
github.com
Open sourceRelease v7.6 · squid-cache/squid · GitHub
github.com
Open sourceImprove parsing of certain FTP directory listing formats (#2408) (#2409) · squid-cache/squid@865a131 · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Information Disclosure Vulnerability in Squid Proxy via Error Handling (CVE-2025-62168)
A critical vulnerability, tracked as CVE-2025-62168, has been identified in Squid, a widely used web caching proxy. This flaw, which carries a maximum CVSS score of 10.0, allows for the leakage of HTTP authentication credentials and security tokens through improper error handling. The vulnerability affects all Squid versions prior to 7.2, where a failure to redact sensitive information in error messages can result in information disclosure. Attackers can exploit this issue remotely, enabling them to bypass browser security protections and obtain credentials used by trusted clients. The vulnerability does not require Squid to be configured with HTTP authentication, broadening the potential attack surface. Scripts can leverage this flaw to extract credentials or security tokens that are used internally by web applications relying on Squid for backend load balancing. The risk is particularly severe for organizations using Squid as a reverse proxy or in environments where sensitive authentication data is transmitted. The vulnerability was disclosed publicly in October 2025, with security advisories highlighting the ease of remote exploitation. Administrators are urged to upgrade to Squid version 7.2, which contains the necessary fix to address this issue. As a temporary mitigation, disabling debug information in administrator mailto links by setting 'email_err_data off' in the squid.conf configuration file is recommended. The vulnerability's critical rating underscores the urgency for immediate remediation to prevent potential credential theft and unauthorized access. Security researchers emphasize that the flaw could be used in targeted attacks against organizations with exposed Squid proxies. The issue was reported through security advisories and has been acknowledged by the Squid development team. Organizations are advised to review their proxy configurations and apply the patch as soon as possible. The vulnerability highlights the importance of proper error handling and redaction of sensitive data in security-critical infrastructure. Failure to address this flaw could result in significant data breaches or compromise of internal systems. The disclosure has prompted widespread attention in the cybersecurity community, with multiple advisories and technical analyses published to assist defenders. The incident serves as a reminder of the risks associated with misconfigured or outdated proxy services in enterprise environments.
Mar 21, 2026
Squid ICP Flaws Expose Proxies to DoS and Memory Disclosure
Squid disclosed three security issues in its Internet Cache Protocol (ICP) request handling, including **CVE-2026-33515**, an out-of-bounds read that can leak small amounts of process memory in error responses to malformed ICP requests. The memory disclosure bug affects Squid versions **3.0 through 7.4** when ICP support is explicitly enabled with a non-zero `icp_port`, and the project said `icp_access` rules do not mitigate the issue. The flaw was reported and fixed by Joshua Rogers of ZeroPath and Alex Rousskov of The Measurement Factory. The advisories also include **SQUID-2026:1** and **SQUID-2026:2**, both describing denial-of-service conditions in ICP request handling, indicating a broader weakness in how Squid processes ICP traffic. Squid said the memory disclosure issue is fixed in **version 7.5**, and it published a patch for supported **7.x** stable releases; administrators that cannot patch were advised to disable ICP or set `icp_port 0` to remove exposure.
May 25, 2026
Squid ICP Use-After-Free Flaws Enable Remote Denial of Service
Two high-severity vulnerabilities, **CVE-2026-32748** and **CVE-2026-33526**, were disclosed in **Squid** that allow remote denial-of-service attacks through malformed **Internet Cache Protocol (ICP)** traffic. The flaws stem from heap **use-after-free** conditions in both ICP response and ICP request handling, with one advisory also citing premature resource release. Affected systems are Squid deployments running versions prior to **7.5**. The bugs are only exploitable where administrators have explicitly enabled ICP by setting a non-zero `icp_port`, and the advisories warn that `icp_access` rules do **not** mitigate the issue. Squid **7.5** contains the fixes, and the disclosures reference upstream patches, a GitHub security advisory, and an Openwall `oss-security` post. Organizations using Squid with ICP enabled should prioritize upgrading and review whether ICP is necessary in exposed environments.
Mar 26, 2026