CVE-2026-33515

{"id": "CVE-2026-33515", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T01:16:27.690", "references": [{"url": "https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165", "source": "security-advisories@github.com"}, {"url": "https://github.com/squid-cache/squid/pull/2220", "source": "security-advisories@github.com"}, {"url": "https://github.com/squid-cache/squid/pull/2220#discussion_r2727683637", "source": "security-advisories@github.com"}, {"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c", "source": "security-advisories@github.com"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/25/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Undergoing Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-1289"}]}], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch."}, {"lang": "es", "value": "Squid es un proxy de cach\u00e9 para la Web. Antes de la versi\u00f3n 7.5, debido a una validaci\u00f3n de entrada incorrecta, Squid es vulnerable a una lectura fuera de l\u00edmites al manejar tr\u00e1fico ICP. Este problema permite a un atacante remoto recibir peque\u00f1as cantidades de memoria que potencialmente contienen informaci\u00f3n sensible al responder con errores a solicitudes ICP no v\u00e1lidas. Este ataque se limita a implementaciones de Squid que habilitan expl\u00edcitamente el soporte ICP (es decir, configuran un 'icp_port' distinto de cero). Este problema no puede mitigarse denegando consultas ICP utilizando reglas de 'icp_access'. La versi\u00f3n 7.5 contiene un parche."}], "lastModified": "2026-03-26T15:13:15.790", "sourceIdentifier": "security-advisories@github.com"}