Unrated severityNVD Advisory· Published May 27, 2021· Updated Aug 3, 2024

CVE-2021-31806

Description

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Squid/Squiddescription
Squidex/Squidexllm-fuzzy
Range: <4.15, >=5.0 <5.0.6
osv-coords23 versions
pkg:rpm/almalinux/libecap pkg:rpm/almalinux/libecap-devel pkg:rpm/almalinux/squid pkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/squid&distro=openSUSE%20Tumbleweed pkg:rpm/suse/squid&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/squid&distro=SUSE%20Manager%20Proxy%204.0 pkg:rpm/suse/squid&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0 pkg:rpm/suse/squid&distro=SUSE%20Manager%20Server%204.0
< 1.0.1-2.module_el8.6.0+2741+01592ae8+ 22 more
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 7:4.15-3.module_el8.6.0+3010+383bc947.1
- (no CPE)range: < 4.15-lp152.2.9.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.16-1.5
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-4.18.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-4.18.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1

Patches

Vulnerability mechanics

Root cause

"Memory-management bug in HTTP Range request processing leads to an assertion failure on unsatisfiable range requests."

Attack vector

An attacker sends HTTP requests with crafted Range headers that specify byte ranges which cannot be satisfied by the cached or requested content. The advisory classifies this as an "Unsatisfiable Range Requests Assertion" [ref_id=1]. Processing such a request triggers a memory-management bug that causes an assertion failure, crashing the Squid process and denying service to all clients using the proxy.

Affected code

The advisory lists "Unsatisfiable Range Requests Assertion CVE-2021-31806" as one of the discovered issues [ref_id=1]. No specific function or file paths are provided in the bundle.

What the fix does

The advisory states that Squid versions before 4.15 and 5.x before 5.0.6 are affected, implying the fix was applied in those releases. No patch diff is included in the bundle. The remediation guidance is to upgrade to Squid 4.15 or 5.0.6 or later, which corrects the memory-management bug in HTTP Range request processing that caused the assertion crash.

Preconditions

networkThe attacker must be able to send HTTP requests to the vulnerable Squid proxy.
inputThe Range header must specify byte ranges that cannot be satisfied by the proxy.

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/mitrevendor-advisory
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/mitrevendor-advisory
www.debian.org/security/2021/dsa-4924mitrevendor-advisory
seclists.org/fulldisclosure/2023/Oct/14mitremailing-list
www.openwall.com/lists/oss-security/2023/10/11/3mitremailing-list
lists.debian.org/debian-lts-announce/2021/06/msg00014.htmlmitremailing-list
www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patchmitre
github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xfmitre
security.netapp.com/advisory/ntap-20210716-0007/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.077
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000