CVE-2026-33515 is an out-of-bounds read vulnerability in the Squid caching proxy server, specifically affecting versions prior to 7.5. Squid supports the Internet Cache Protocol (ICP) to communicate cache information between proxy servers. The vulnerability stems from improper input validation when processing ICP traffic, which can be exploited by a remote attacker sending crafted ICP requests. When Squid responds to invalid ICP requests, it may read and disclose small amounts of memory beyond intended boundaries. This memory could contain sensitive information such as cached data pointers or other internal state. The vulnerability is only exploitable if ICP support is enabled by setting a non-zero icp_port in the Squid configuration. Attempts to block ICP queries using icp_access rules do not prevent exploitation, indicating the flaw lies deeper in the ICP packet handling logic. The issue was fixed in Squid version 7.5 by implementing proper input validation to prevent out-of-bounds reads. The CVSS 4.0 vector indicates the attack requires no privileges or user interaction and can be performed remotely over the network, but the impact on confidentiality and integrity is limited due to the small amount of memory disclosed. No known public exploits or active exploitation have been reported as of the publication date.

The primary impact of CVE-2026-33515 is unauthorized disclosure of potentially sensitive information from the memory of Squid proxy servers. Organizations running vulnerable Squid versions with ICP enabled may inadvertently leak internal memory contents to remote attackers. Although the amount of leaked data is small, it could include sensitive cache metadata or other internal state that might aid further attacks or reconnaissance. This could undermine confidentiality and potentially assist attackers in crafting more targeted exploits. Since Squid is widely used as a web caching proxy in enterprises, ISPs, and content delivery networks, the vulnerability could affect a broad range of organizations. However, the requirement to enable ICP support limits the attack surface to deployments explicitly configured for ICP, which is less common than standard HTTP proxy usage. The inability to mitigate via icp_access rules means organizations cannot rely solely on access controls to prevent exploitation. While no active exploitation is known, the vulnerability presents a moderate risk that should be addressed promptly to avoid potential data leakage and reconnaissance advantages for attackers.

To mitigate CVE-2026-33515, organizations should upgrade Squid to version 7.5 or later, where the vulnerability is patched with proper input validation. If immediate upgrade is not feasible, consider disabling ICP support by setting icp_port to zero, effectively removing the vulnerable code path. Since icp_access rules do not prevent exploitation, relying on access control lists to block ICP queries is insufficient. Network-level filtering can be employed to block ICP traffic (UDP port 3130 by default) from untrusted sources to reduce exposure. Monitoring Squid logs for unusual or malformed ICP requests may help detect attempted exploitation. Additionally, conduct an inventory of Squid deployments to identify those with ICP enabled and prioritize patching or configuration changes accordingly. Regularly review Squid configurations and update to supported versions to minimize exposure to known vulnerabilities.