2492883 – (CVE-2026-50012) CVE-2026-50012 squid: memory corruption in cache_digest reply handling

Bug 2492883 (CVE-2026-50012) - CVE-2026-50012 squid: memory corruption in cache_digest reply handling

Summary: CVE-2026-50012 squid: memory corruption in cache_digest reply handling

Keywords:
Status:	NEW
Alias:	CVE-2026-50012
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2492995 2492996
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-25 13:15 UTC by OSIDB Bzimport
Modified:	2026-06-25 16:30 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-25 13:15:07 UTC

Due to an improper input validation bug, Squid is vulnerable to a heap-based buffer overflow attack against cache digests.

This problem allows a trusted server to perform a heap-based buffer overflow when sending maliciously crafted replies to cache_digest request messages.

This attack is limited to Squid instances that have been compiled with the --enable-cache-digests option. Trusted peers are expected to be servers within the same administrative domain. As cache digests are exchanged over TCP, there is no risk of spoofing.

Note You need to log in before you can comment on or make changes to this bug.