Full Report
Squid security advisory (AV26-284)
Analysis Summary
# Vulnerability: Multiple Denial of Service and Out-of-Bounds Read in Squid ICP Handling
## CVE Details
*Note: Specific CVE IDs were not explicitly listed in the summary advisory but are associated with the following Squid Security Advisories:*
- **CVE ID:** CVE-2026-XXXXX (Associated with SQUID-2026:1, SQUID-2026:2, SQUID-2026:3)
- **CVSS Score:** Not explicitly provided; typically High for DoS in proxy services.
- **CWE:** CWE-125 (Out-of-bounds Read), CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** Squid Caching Proxy
- **Versions:** All versions prior to **7.5**
- **Configurations:** Systems with Internet Cache Protocol (ICP) enabled (typically via `icp_port`).
## Vulnerability Description
Multiple vulnerabilities exist in the way Squid handles Internet Cache Protocol (ICP) requests.
1. **Denial of Service (SQUID-2026:1 & SQUID-2026:2):** Flaws in the processing of ICP requests can lead to uncontrolled resource consumption or daemon crashes, effectively disabling the proxy service.
2. **Out-of-Bounds Read (SQUID-2026:3):** A flaw in the ICP message handling logic allows for an out-of-bounds memory read. This can lead to information disclosure from the process memory or cause a crash (DoS).
## Exploitation
- **Status:** PoC availability unknown (Assumed internal/coordinated disclosure)
- **Complexity:** Low to Medium
- **Attack Vector:** Network (UDP-based ICP packets)
## Impact
- **Confidentiality:** Low to Medium (potential memory leakage via OOB read)
- **Integrity:** None
- **Availability:** High (Service crash or resource exhaustion)
## Remediation
### Patches
- Upgrade to **Squid version 7.5** or later.
- For users on stable branches (e.g., 6.x), apply the specific patches provided in the GitHub Security Advisories linked below.
### Workarounds
- **Disable ICP:** If ICP is not required for your environment, disable it by removing or commenting out `icp_port` in the `squid.conf` file (defaults to port 3130).
- **Access Control:** Restrict ICP access using ACLs to only trusted neighbor caches:
`icp_access allow trusted_neighbors`
`icp_access deny all`
## Detection
- **Indicators of Compromise:** Monitor for unexpected crashes of the `squid` process.
- **Detection methods/tools:**
- Monitor system logs for "Segmentation Fault" or "Assertion failed" records related to `icp_incoming`.
- Use network intrusion detection systems (IDS) to flag malformed UDP packets targeting port 3130.
## References
- [SQUID-2026:1 Advisory] hxxps[://]github[.]com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg
- [SQUID-2026:2 Advisory] hxxps[://]github[.]com/squid-cache/squid/security/advisories/GHSA-f9p7-3jqg-hhvq
- [SQUID-2026:2 (Alternate) Advisory] hxxps[://]github[.]com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c
- [SQUID-2026:3 Advisory] hxxps[://]github[.]com/squid-cache/squid/security/advisories/
- [Cyber Centre Advisory (AV26-284)] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/squid-security-advisory-av26-284