Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests.
This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 5
https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec91…
security-advisories@github.com
https://github.com/squid-cache/squid/pull/2220
security-advisories@github.com
https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637
security-advisories@github.com
https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c
security-advisories@github.com
http://www.openwall.com/lists/oss-security/2026/03/25/4
af854a3a-2127-422b-91ae-364da2661108