Squid CVE-2026-47729 and CVE-2026-50012

[Amos Jeffries <squid3 () treenet co nz>]

Hi all,

Squid 7.6 release contains fixes for and releases the embargo on 
CVE-2026-47729 and CVE-2026-50012.


CVE-2026-47729

Due to a Improper Validation of Syntactic Correctness of Input
bug, Squid is vulnerable to a Out-of-bounds Read
attack against the FTP gateway.

This problem allows a trusted client to perform an Out-of-Bounds
Read from random unrelated transactions when accessing a
misbehaving FTP server through Squid's gateway feature.

<https://github.com/squid-cache/squid/commit/865a131c7d557e68c965043d98c2eccae26deef8.patch>



CVE-2026-50012

Due to an Improper Input Validation bug, Squid is vulnerable to
a Heap-based Buffer Overflow attack against cache digests.

This problem allows a trusted server to perform a Heap-based
Buffer Overflow when sending maliciously crafted replies to
cache_digest request messages.

This attack is limited to Squid instances that have been
compiled with the --enable-cache-digests option.

<https://github.com/squid-cache/squid/commit/19fcfe922717c8b255270c032dcde4071c003bcd.patch>



Formal Advisory are still awaiting text polish. We hope to have them 
announced in a few days. Meanwhile with the embargo over, additional 
details and/or attacks may be forthcoming from other sources, thus this 
summary alert.


Amos Jeffries
The Squid Software Foundation