Squidbleed: A 29-Year-Old Heap Over-Read Leaks Cleartext HTTP in Squid (CVE-2026-47729)

Vulnerability Overview

CVE-2026-47729, nicknamed Squidbleed, is a heap buffer over-read in the FTP gateway of the Squid web proxy. The bug traces back to a commit from January 1997 and survived nearly three decades of releases, code reviews, and audits. It lets an attacker who is already an authorized user of a shared proxy leak fragments of other users' cleartext HTTP requests, including credentials, cookies, and session tokens, by coaxing the proxy into reading memory it should never return. The flaw was disclosed by researchers at Calif.io in June 2026. At the time of writing it has no official CVSS score assigned, but a cross-tenant credential leak on infrastructure that sits between many users and the internet should be treated as serious regardless of the pending number.

Why This Matters

Squid is one of the most widely deployed web proxies, common in schools, businesses, public Wi-Fi, and embedded appliances, precisely the shared, multi-user environments where Squidbleed becomes dangerous. In those settings the attacker is not some distant internet host; they are just another authorized user of the same proxy, which is exactly the trust model Squid is built around. A bug that lets one tenant read another tenant's in-flight requests turns a piece of shared plumbing into a credential-harvesting channel. The leak is bounded but meaningful: normal HTTPS rides an opaque CONNECT tunnel that Squid never sees inside, so it is not exposed, but cleartext HTTP is, as is any traffic in TLS-terminating setups where Squid decrypts and inspects.

Technical Analysis

The root cause lives in Squid's FTP directory-listing parser. When Squid fetches an FTP directory listing, the parser processes the server's response, and a missing NUL-terminator check before the vulnerable strchr calls means a crafted or truncated listing can drive the read past the end of the intended buffer. That out-of-bounds read pulls in adjacent heap memory, which on a busy proxy can contain other users' in-flight HTTP request data, including Authorization headers and cookies. The leaked bytes are then surfaced back to the attacker in the rendered response.

Turning that into an exploit is straightforward. As demonstrated by public proof-of-concept code, the attacker stands up a malicious FTP server that returns a truncated directory listing, then repeatedly forces Squid to connect to it using FTP URLs. Each fetch triggers the over-read and returns a slice of adjacent memory, and the attacker reassembles credentials and tokens from the leaked fragments across many requests. The preconditions are mild by design: the proxy must be able to reach an attacker-controlled FTP server on port 21, and both FTP handling and that port are enabled in default Squid configurations.

The discovery itself is notable. Per the researchers' write-up, Squidbleed was surfaced by Calif.io with the assistance of an AI model, part of a broader 2026 trend of AI-assisted vulnerability research turning up long-dormant memory-safety bugs in mature, heavily audited codebases. A one-line parser oversight hiding in plain sight since 1997 is a fitting example of the class.

Exploitation Status

Proof-of-concept exploit code is public, and it reliably reproduces credential and token extraction in a lab. As of late June 2026, there were no confirmed reports of in-the-wild exploitation, but the low barrier (an authorized proxy user plus a hostile FTP server) and the value of the loot (live credentials and sessions) make this an attractive technique against shared proxy infrastructure. The exposure is strongest in environments where many users share one Squid instance and where Squid handles or decrypts cleartext HTTP.

Don't Confuse the Fix Versions

The remediation story for Squidbleed has been genuinely confusing, and getting it wrong leaves you exposed. The one-line fix (the missing NUL-terminator check) was merged to the development branch in April 2026 and into the v7 branch in May. Squid maintainer Amos Jeffries initially indicated the fix shipped in Squid 7.6, then corrected that to 7.7; separately, Debian's Salvatore Bonaccorso observed that the referenced commit appears to be present in 7.6. The safe conclusion is to stop trusting the version label alone and confirm the guard is actually in your build's FtpGateway.cc, especially since distributions ship their own packages (Debian, for instance, has shipped Squid 5.7).

One more trap: Squid 7.6 did land a real security fix, but for a different bug, CVE-2026-50012, an unrelated heap-based buffer overflow in cache_digest reply handling. If you upgraded to 7.6 assuming you also closed Squidbleed, you may not have.

Mitigation & Remediation

Priority order, drawn from the Calif.io disclosure and follow-up reporting:

1. Disable FTP. Unless you have a specific, unusual need for it, turn off FTP handling in Squid. The researchers recommend this as the primary preventive measure, and it removes the attack vector outright.
2. Patch and verify the guard. Move to a build that contains the FTP gateway fix (Squid 7.7 per the maintainer's correction) and confirm the NUL-terminator check is present in FtpGateway.cc rather than trusting the version number, accounting for distro backports.
3. Block outbound FTP from the proxy. Restrict the proxy's egress so it cannot reach arbitrary external FTP servers on port 21, which denies the attacker the malicious-listing step.
4. Rotate exposed secrets. In multi-user or TLS-intercepting deployments, treat credentials and session tokens that traversed the proxy as potentially leaked and rotate where warranted.
5. Monitor. Watch proxy logs for repeated FTP directory-listing fetches to unusual or attacker-like external FTP servers.

The Bigger Picture

Squidbleed is a reminder that age and audit history are not safety. A trivial parser oversight persisted for 29 years in a security-relevant code path inside software whose entire job is to sit in the middle of other people's traffic. It also previews a shift already underway: AI-assisted review is now reaching into decades-old C and C++ and surfacing the quiet memory-safety bugs that human audits repeatedly walked past. For defenders, the practical lessons are old ones made urgent again: minimize attack surface (turn off protocols you do not use, like FTP), do not assume shared infrastructure isolates its tenants, and verify that a patch is truly present rather than inferring it from a version string.

References

• Calif.io - Squidbleed (CVE-2026-47729) Disclosure
• NVD - CVE-2026-47729
• The CyberSec Guru - Inside Squid's 29-Year-Old Bug
• IT-Connect - Squidbleed Leaks User Credentials
• QPulse - Squidbleed Exposes Cleartext HTTP Traffic
• SUSE - CVE-2026-47729
• Public Proof-of-Concept (0xBlackash)