CVE-2021-31808
Description
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5- Squid/Squiddescription
- osv-coords3 versions
< 1.0.1-2.module_el8.6.0+2741+01592ae8+ 2 more
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 7:4.15-3.module_el8.6.0+3010+383bc947.1
Patches
Vulnerability mechanics
Root cause
"Missing input validation on HTTP Range header values allows integer overflow."
Attack vector
An attacker sends an HTTP request containing a crafted Range header to the Squid proxy. Due to an input-validation bug, the integer arithmetic performed on the range values overflows, leading to memory corruption or an assertion failure. This causes a denial of service against all clients using the proxy, as Squid crashes or becomes unresponsive [ref_id=1].
Affected code
The vulnerability is in Squid's handling of HTTP Range headers. The advisory lists it as "Integer Overflow in Range Header" [ref_id=1]. No specific function or file paths are provided in the bundle.
What the fix does
The advisory does not include a patch or specific remediation guidance. It notes that the issue was fixed in Squid before 4.15 and 5.x before 5.0.6, but no technical details of the fix are provided in the bundle [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP requests to the Squid proxy.
- inputThe attacker must craft an HTTP Range header with values that trigger an integer overflow.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/mitrevendor-advisory
- www.debian.org/security/2021/dsa-4924mitrevendor-advisory
- seclists.org/fulldisclosure/2023/Oct/14mitremailing-list
- www.openwall.com/lists/oss-security/2023/10/11/3mitremailing-list
- lists.debian.org/debian-lts-announce/2021/06/msg00014.htmlmitremailing-list
- www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patchmitre
- github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xfmitre
- security.netapp.com/advisory/ntap-20210716-0007/mitre
News mentions
0No linked articles in our index yet.