Critical Squid Proxy Vulnerabilities Patched in Latest Release

Recently, developers released a vital security update to address severe Squid proxy vulnerabilities. As a widely used caching proxy for the web, Squid reduces bandwidth and improves response times by reusing frequently-requested web pages. However, the newly uncovered security flaws could allow attackers to trigger memory errors or expose private transaction data. Therefore, administrators should apply patches immediately to secure their infrastructure.

Out-of-Bounds Read in FTP Gateway

The first major flaw, tracked as CVE-2026-47729, stems from an improper validation bug within the FTP gateway component. Specifically, a trusted client can perform an out-of-bounds read from random unrelated transactions when accessing a misbehaving FTP server. Because of this syntactic correctness input bug, sensitive information from other sessions might leak to unauthorized parties. Consequently, maintaining strict isolation between web transactions becomes impossible without the fix.

Severe Heap-Based Buffer Overflow Attack

Additionally, the update addresses CVE-2026-50012, which poses a more severe risk to proxy servers. Due to an improper input validation bug, the system is susceptible to a dangerous buffer overflow attack. Specifically, “This problem allows a trusted server to perform a Heap-based Buffer Overflow when sending maliciously crafted replies to cache_digest request messages.”

However, this specific threat is limited to instances compiled with the –enable-cache-digests option. If an attacker successfully exploits this heap-based flaw, they could potentially crash the service or execute arbitrary code.

Upgrade to Squid 7.6 Immediately

To mitigate these risks completely, operators must update their software deployments. Fortunately, the development team has officially released the patches to eliminate these dangerous Squid proxy vulnerabilities. You can download the secure source code directly through the official Squid 7.6 release notes on GitHub. Ensuring your systems run the latest version remains the most effective defense against memory corruption exploits.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.