On 21 June 2026 Debian published advisory DSA-6360-1 for Squid, the long-running web caching proxy. The update closes four separate vulnerabilities and replaces the vulnerable 6.13-2+deb13u1 package with 6.13-2+deb13u2 on the stable Trixie branch (Debian 13).
The standout of the group is CVE-2026-47729, nicknamed Squidbleed by the researchers who found it (Calif.io). The name is a deliberate nod to the old Heartbleed: like that bug, this one leaks memory that should never be exposed. The root cause sits in Squid’s FTP directory-listing parser, inside the htmlifyListEntry() function in FtpGateway.cc. The code calls strchr() to skip whitespace after a timestamp but never checks for the string’s null terminator. Per the C standard, strchr() returns a pointer to the NUL byte itself rather than NULL, so the loop keeps reading past the buffer. Because Squid recycles buffers from its MEM_4K_BUF pool without zeroing them, that overread can drag in leftovers from earlier sessions: HTTP headers from other proxy users, including Authorization headers carrying passwords, session tokens or API keys.
To pull it off, the attacker needs a malicious FTP server the proxy can reach, and the victim has to share the same Squid instance. FTP support is on by default and port 21 is in the standard Safe_ports ACL, so a default configuration is exposed. The real-world blast radius is narrow: it only touches cleartext HTTP traffic, since HTTPS rides through opaque CONNECT tunnels that Squid doesn’t inspect. Even so, in corporate or institutional deployments where many people share one proxy, the risk of credential leakage is real. SUSE rated it moderate severity (CVSS 6.5).
The other three fixes in this advisory are:
- CVE-2026-33515 — an out-of-bounds read that can leak small amounts of process memory in error responses to malformed ICP requests. It only applies when ICP support is explicitly enabled with a non-zero
icp_port. - CVE-2026-33526 — a heap use-after-free in ICP response handling that allows a remote denial of service through crafted ICP traffic.
- CVE-2026-50012 — a heap buffer overflow in the cache digests component that can crash Squid and, in theory, allow code execution. It only affects builds compiled with
--enable-cache-digests, a non-default flag.
If you run Squid on Debian, update the package as soon as you can. An apt update && apt upgrade will pull in 6.13-2+deb13u2; restart the service afterwards so the new workers load the patched code. In the meantime, if you don’t need FTP through the proxy you can blunt Squidbleed by turning that support off or removing port 21 from Safe_ports, and disabling ICP and cache digests cuts the exposure from the other three bugs.
Source
- Debian Security Tracker — DSA-6360-1 squid: https://security-tracker.debian.org/tracker/DSA-6360-1
- CVE-2026-33515: https://nvd.nist.gov/vuln/detail/CVE-2026-33515
- CVE-2026-47729 (Squidbleed): https://nvd.nist.gov/vuln/detail/CVE-2026-47729