[squid-announce] [ADVISORY] SQUID-2026:5 Memory corruption in cache_digest reply handling

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 23 05:43:15 UTC 2026


__________________________________________________________________

     Squid Proxy Cache Security Update Advisory SQUID-2026:5
__________________________________________________________________

Advisory ID:       | SQUID-2026:5 (CVE-2026-50012)
Date:              | 2026-06-14
Summary:           | Memory corruption in cache_digest reply handling
Affected versions: | Squid 3.x -> 3.5.27
                    | Squid 4.x -> 4.17
                    | Squid 5.x -> 5.9
                    | Squid 6.x -> 6.14
                    | Squid 7.x -> 7.5
Fixed in version:  | Squid 7.6
__________________________________________________________________

Problem Description:

  Due to an Improper Input Validation bug, Squid is vulnerable to
  a Heap-based Buffer Overflow attack against cache digests.

__________________________________________________________________

Severity:

  This problem allows a trusted server to perform a Heap-based
  Buffer Overflow when sending maliciously crafted replies to
  cache_digest request messages.

  This attack is limited to Squid instances that have been
  compiled with the --enable-cache-digests option.

  Trusted peers are expected to be servers within the same
  administrative domain. As cache digests are exchanged over TCP,
  there is no risk of spoofing.

__________________________________________________________________

Updated Packages:

This bug is fixed by Squid version 7.6

  In addition, patches addressing this problem for the stable
  releases can be found in our patch archives:

Squid 7:
  <https://github.com/squid-cache/squid/commit/19fcfe922717c8b255270c032dcde4071c003bcd.patch>
  <https://github.com/squid-cache/squid/commit/c9c9a06be6fb21f400014dcb0ec7e6d573167a5d.patch>

  If you are using a prepackaged version of Squid then please
  refer to the package vendor for availability information on
  updated packages.

__________________________________________________________________

Determining if your version is vulnerable:

The following test can be used to determine affected feature use:

   squid -v | grep -q 'enable-cache-digests' &&
    squid -k parse 2>&1 | grep -w cache_peer | grep -v no-digest

  * All Squid 7.5 and older without output are not vulnerable.

  * All Squid 7.5 and older with output are vulnerable.

  * All Squid 7.6 and later are not vulnerable.

__________________________________________________________________

Workaround:

Either

   Audit your squid configuration and ensure that all configured
   cache_peer's are under your organisational control and fully
   trusted. This will greatly reduce the risk.

or

   Disable cache digests for those peers by adding the
   'no-digest' option for cache_peer you do not directly control.
   This will remove the vulnerability at cost of increased
   bandwidth. Use of HTCP or ICP can reduce that cost.

__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If you install and build Squid from the original Squid sources
  then the <squid-users at lists.squid-cache.org> mailing list is
  your primary support point. For subscription details see
  <https://www.squid-cache.org/Support/mailing-lists.html>.

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used
  <https://bugs.squid-cache.org/>.

  For reporting of security sensitive bugs send an email to the
  <squid-bugs at lists.squid-cache.org> mailing list. It's a closed
  list (though anyone can post) and security related bug reports
  are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

  This vulnerability was discovered independently by
   Huy Hoàng Nguyễn of Sun Asterisk Vietnam, and
   Sarthak Munshi

  Fixed by Francesco Chemolli <kinkie at squid-cache.org>

__________________________________________________________________

Revision history:

  2026-05-11 Initial Report
  2026-05-30 10:16:33 Patch published

__________________________________________________________________
END


More information about the squid-announce mailing list