CVE-2026-47729
Awaiting Analysis Awaiting Analysis - Queue

Out-of-Bounds Read in Squid Proxy FTP Gateway

Vulnerability report for CVE-2026-47729, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Squid is a caching proxy for the Web. Prior to 7.6, due to an improper validation of syntactic correctness of input in the FTP gateway (src/clients/FtpGateway.cc), Squid is vulnerable to an out-of-bounds read: when a listing entry date in the TypeA or TypeB directory-listing formats is not followed by a filename, parsing was not restricted to the input buffer, so a trusted client accessing a misbehaving FTP server through Squid's gateway feature could read memory from random unrelated transactions. This issue is fixed in version 7.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
squid_cache squid to 7.6 (exc)
squid squid 7.6
squid squid to 7.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1289 The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47729 is an out-of-bounds read vulnerability in Squid's FTP gateway feature. It occurs when parsing FTP directory listings in TypeA or TypeB formats where a date field is not followed by a filename. The improper validation allows trusted clients accessing misbehaving FTP servers through Squid to read random unrelated transaction data from memory.

Detection Guidance

Detecting this vulnerability requires checking the Squid version in use. Run 'squid -v' to see the installed version. If it is below 7.6, the system is vulnerable. Additionally, monitor FTP traffic through Squid for unusual patterns or errors in directory listings.

Impact Analysis

Affected users running Squid versions prior to 7.6 could experience information disclosure. A trusted client might read sensitive data from other transactions if the Squid proxy connects to a malicious or misconfigured FTP server. The impact is limited to confidentiality breaches rather than code execution or system compromise.

Compliance Impact

This vulnerability could violate GDPR and HIPAA by enabling unauthorized access to personal or health data during FTP transactions. Organizations processing sensitive data through Squid may fail to meet confidentiality requirements, leading to compliance violations and potential regulatory penalties.

Mitigation Strategies

Upgrade Squid to version 7.6 or later immediately. If upgrading is not possible, restrict FTP access to trusted servers using ACL rules in squid.conf, such as 'acl trusted_ftp dst <trusted_server_IP>' and 'http_access allow trusted_ftp'.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47729. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart