What is Squidbleed and which environments are most at risk?

Squidbleed (CVE-2026-47729) is a heap buffer overread in Squid Proxy's FTP parser that causes it to read stale HTTP request data from adjacent heap memory, potentially exposing credentials and session tokens belonging to other users. The risk is highest in shared proxy environments: corporate networks routing multiple users through a single Squid instance, university and school proxies, and public Wi-Fi hotspots. Standard HTTPS traffic tunnelled as CONNECT requests is unaffected; the exposure is limited to cleartext HTTP and deployments where Squid terminates TLS.

How did an AI model find a vulnerability that went undetected for 29 years?

Claude Mythos Preview identified a subtle edge case in C's strchr() standard library function: per the C11 specification, strchr() returns a non-NULL pointer when the search character is the null terminator, rather than NULL as many developers assume. The vulnerable loop in Squid's FTP parser used strchr() as its loop guard without checking for null terminator, so when the pointer reached the end of the buffer it kept advancing into adjacent heap memory. This kind of deep knowledge of standard library semantics and C memory model behaviour is exactly where AI-assisted code review has started outperforming traditional static analysis tools.

How do I patch or mitigate Squidbleed immediately?

Update to Squid 7.6 (June 2026) or later, which ships the fix. If immediate patching isn't possible, disabling FTP support removes the attack surface entirely since the vulnerability lives entirely in the FTP directory listing parser. In most corporate environments FTP proxy support is vestigial — modern browsers dropped native FTP support years ago, making this a low-impact mitigation for the vast majority of deployments. Check your squid.conf for 'ftp_port' or 'acl' entries permitting FTP and comment them out.

Squidbleed: Claude Mythos Surfaces a 29-Year Memory Leak in Squid Proxy

Researchers at Calif.io disclosed CVE-2026-47729 on June 22, 2026, and the story behind its discovery is almost as interesting as the bug itself. The vulnerability, which the team named Squidbleed, has been present in every version of Squid Proxy since the software’s first commit in 1997. It wasn’t found by a penetration tester, a security audit, or a bug bounty hunter. It was found by Anthropic’s Claude Mythos Preview in a code analysis session.

The result: a Heartbleed-style memory leak that can silently exfiltrate HTTP credentials and session tokens from other users on any shared proxy deployment.

What Squidbleed Actually Does

Squid is one of the most widely deployed open source caching proxies in existence. It sits between users and the internet on corporate networks, universities, and anywhere that wants centralised web access control. Most deployments have accumulated years of configuration and aren’t touched unless something breaks.

The bug lives in the FTP directory listing parser, specifically in the code handling NetWare-style FTP servers that output extra whitespace before filenames. The problematic section:

while (strchr(w_space, *copyFrom))
    ++copyFrom;

This loop is intended to skip leading whitespace. It uses strchr() to check whether the current character is a whitespace character. The assumption baked into the code is that strchr() returns NULL when there’s nothing left to find.

That assumption is wrong for one specific case. The C11 standard specifies that strchr() searches the string including the null terminator. When *copyFrom reaches the null terminator at the end of the buffer, strchr(w_space, '\0') returns a non-NULL pointer rather than NULL. The loop continues. The pointer advances into whatever memory happens to be adjacent.

The Heap Memory Problem

Squid manages memory using per-size freelists. When a buffer is freed and reallocated, it is not zeroed. HTTP request buffers from previous users sit in the same memory pools as the FTP parsing buffers. When the overread walks forward through heap memory, it can reach stale HTTP request data from a completely different user’s session, potentially capturing authentication headers, session cookies, and API keys.

An attacker with access to an FTP server reachable through the proxy can craft a directory listing line with no filename after the timestamp, triggering the overread at will:

d [R----F--] supervisor            512       Jan 16 18:53

The fix is a single character addition: checking *copyFrom before calling strchr():

while (*copyFrom && strchr(w_space, *copyFrom))
    ++copyFrom;

Twenty-nine years. One character.

How Claude Mythos Found It

Calif.io published a detailed account of their discovery process. They fed Squid’s FTP parser source into Claude Mythos Preview as part of a broader code analysis session. The model flagged the strchr usage almost immediately, citing the specific clause from the C11 specification: strchr(w_space, '\0') returns non-NULL per C11 §7.24.5.2.

That’s the kind of deep recall that makes AI-assisted code review genuinely different from static analysis tools. A linter catches common patterns. An AI model with comprehensive knowledge of language specifications and standard library semantics can reason about edge cases that don’t fit any pattern, in code that a human reviewer would skim past as “obviously correct whitespace handling.”

This follows the FFmpeg story from earlier this year, where an AI agent found 21 zero-days in one pass through the codebase. The pattern is becoming hard to ignore: decades-old codebases written in memory-unsafe languages contain bugs that humans consistently miss and that AI models, given enough context, can surface quickly. The question for the security industry is what to do with that capability at scale.

Who Is Exposed

The practical risk depends on your Squid deployment. The highest-exposure scenario is a corporate or institutional proxy serving multiple users over cleartext HTTP: internal intranet applications, legacy enterprise software, anything not yet behind HTTPS. An attacker with access to that network who can route a crafted FTP request through the proxy could exfiltrate request data from other users without any visible side effects.

HTTPS traffic is unaffected. Squid handles encrypted tunnels as CONNECT passthrough, and the FTP parser never touches that traffic.

Patching is the right call, but if you run Squid and FTP proxy support isn’t something your environment actually uses, disabling it now removes the attack surface entirely until you can schedule the upgrade. Most organisations will find that FTP proxy support has been sitting dormant for years.

Patching

Squid 7.6, released in June 2026, includes the fix. The patch was merged into the version 8 development branch in April 2026 and backported to version 7 in May. If you’re on Squid 6.x or earlier, upgrading is the path: there are no backport patches planned for EOL branches.