CVE-2026-47729
Squid Heap Buffer Overread Vulnerability
Squid Web Cache contains a heap buffer overread vulnerability, CVE-2026-47729, that can leak sensitive request data when a proxy processes crafted FTP responses from an attacker-controlled server. The vulnerability exists within Squid’s FTP gateway functionality and can expose credentials, cookies, API keys, session tokens, and other cleartext HTTP data from adjacent memory buffers. The issue, dubbed “Squidbleed,” is most impactful in shared proxy environments where multiple users route traffic through the same Squid instance. At the time of writing, no confirmed in-the-wild exploitation has been publicly reported.
Technical Details
CVE-2026-47729 exists within Squid’s FTP gateway code, specifically the logic responsible for parsing FTP directory listings. Under certain conditions, a crafted FTP response that lacks an expected filename can cause the parser to read beyond the intended memory buffer and disclose adjacent heap memory contents.
The vulnerability stems from how Squid processes whitespace and filename fields within FTP directory listings. When the malformed response is parsed, memory outside the intended buffer may be returned to the requesting client.
Successful exploitation requires:
- A vulnerable Squid proxy with FTP functionality enabled
- An attacker-controlled FTP server reachable through the proxy
- A user capable of accessing the malicious FTP server through the proxy
If exploited, the vulnerability can expose data previously stored in neighboring memory regions, including:
- HTTP credentials
- Session cookies
- Bearer tokens
- API keys
- Other cleartext HTTP request data
Shared proxy deployments are the most exposed because memory may contain traffic belonging to multiple users. Organizations operating Squid in enterprise networks, educational institutions, hospitality environments, managed service providers, transportation systems, and public Wi-Fi deployments should review exposure immediately.
Stop Guessing, Start Proving
NodeZero® Proactive Security Platform — Rapid Response
A NodeZero Rapid Response test has been developed to safely validate whether this heap buffer overread vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.
- Run the Rapid Response test: Launch from the NodeZero platform to determine whether exploitation is possible
- Patch immediately: Apply the vendor-provided fix or a distribution-specific backported update, and disable unnecessary FTP functionality where possible
- Re-run the test: Confirm the vulnerability is no longer exploitable after remediation
Affected versions & patch
- Affected: Squid Web Cache deployments containing the vulnerable FTP gateway parser logic associated with CVE-2026-47729
- Fixed: Squid version 7.7 or later
- Mitigation:
- Disable FTP support if it is not required
- Restrict access to untrusted FTP servers
- Block outbound TCP port 21 where operationally feasible
- Apply vendor-provided updates as they become available
Because vendors package and backport Squid differently, administrators should verify patch status through their operating system, appliance, or distribution vendor rather than relying solely on version numbers.
Timeline
- April 17, 2026 – Researchers at Calif.io privately report the vulnerability to the Squid project.
- June 12, 2026 – Squid maintainer Amos Jeffries discloses CVE-2026-47729 on the oss-security mailing list and releases fix information.
- June 18, 2026 – Calif.io publishes technical disclosure details and proof-of-concept information for Squidbleed.
- June 21, 2026 – Debian releases DSA-6360-1 addressing CVE-2026-47729 and related Squid vulnerabilities.
- June 22, 2026 – Public reporting from The Hacker News and SecurityWeek brings broader attention to the vulnerability.
- June 24, 2026 – Horizon3.ai releases a NodeZero Rapid Response test for CVE-2026-47729.
