[squid-announce] [ADVISORY] SQUID-2026:5 Memory corruption in cache_digest reply handling
Amos Jeffries
squid3 at treenet.co.nz
Tue Jun 23 05:43:15 UTC 2026
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2026:5
__________________________________________________________________
Advisory ID: | SQUID-2026:5 (CVE-2026-50012)
Date: | 2026-06-14
Summary: | Memory corruption in cache_digest reply handling
Affected versions: | Squid 3.x -> 3.5.27
| Squid 4.x -> 4.17
| Squid 5.x -> 5.9
| Squid 6.x -> 6.14
| Squid 7.x -> 7.5
Fixed in version: | Squid 7.6
__________________________________________________________________
Problem Description:
Due to an Improper Input Validation bug, Squid is vulnerable to
a Heap-based Buffer Overflow attack against cache digests.
__________________________________________________________________
Severity:
This problem allows a trusted server to perform a Heap-based
Buffer Overflow when sending maliciously crafted replies to
cache_digest request messages.
This attack is limited to Squid instances that have been
compiled with the --enable-cache-digests option.
Trusted peers are expected to be servers within the same
administrative domain. As cache digests are exchanged over TCP,
there is no risk of spoofing.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 7.6
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 7:
<https://github.com/squid-cache/squid/commit/19fcfe922717c8b255270c032dcde4071c003bcd.patch>
<https://github.com/squid-cache/squid/commit/c9c9a06be6fb21f400014dcb0ec7e6d573167a5d.patch>
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
__________________________________________________________________
Determining if your version is vulnerable:
The following test can be used to determine affected feature use:
squid -v | grep -q 'enable-cache-digests' &&
squid -k parse 2>&1 | grep -w cache_peer | grep -v no-digest
* All Squid 7.5 and older without output are not vulnerable.
* All Squid 7.5 and older with output are vulnerable.
* All Squid 7.6 and later are not vulnerable.
__________________________________________________________________
Workaround:
Either
Audit your squid configuration and ensure that all configured
cache_peer's are under your organisational control and fully
trusted. This will greatly reduce the risk.
or
Disable cache digests for those peers by adding the
'no-digest' option for cache_peer you do not directly control.
This will remove the vulnerability at cost of increased
bandwidth. Use of HTCP or ICP can reduce that cost.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the <squid-users at lists.squid-cache.org> mailing list is
your primary support point. For subscription details see
<https://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<https://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
<squid-bugs at lists.squid-cache.org> mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This vulnerability was discovered independently by
Huy Hoàng Nguyễn of Sun Asterisk Vietnam, and
Sarthak Munshi
Fixed by Francesco Chemolli <kinkie at squid-cache.org>
__________________________________________________________________
Revision history:
2026-05-11 Initial Report
2026-05-30 10:16:33 Patch published
__________________________________________________________________
END
More information about the squid-announce
mailing list