Calif.io Uses Claude Mythos to Surface 29-Year-Old Squid Proxy Memory Leak

A heap buffer overread hiding in Squid Proxy since a commit dated January 18, 1997 was disclosed this month by researchers at Calif.io, who named it Squidbleed and registered it as CVE-2026-47729. As The Hacker News reports, the flaw carries a CVSS score of 6.5, affects Squid's default configuration, and lets an attacker with proxy access leak cleartext HTTP requests from other users on the same proxy, including credentials and session tokens.

The root cause is a C language edge case. Squid's FTP directory-listing parser uses strchr() in a loop to skip whitespace after parsing timestamps. In C, strchr() returns a non-NULL pointer when asked to locate the null terminator rather than returning NULL, so when no filename follows a timestamp in a malformed FTP response, the pointer walks off the buffer boundary into adjacent memory. Because Squid recycles memory pool buffers without zeroing them, that adjacent memory may contain stale HTTP request data from a different user's session. Researchers confirmed an overread of up to 4,065 bytes via AddressSanitizer, and demonstrated extracting Authorization headers from login pages on a shared proxy.

What makes the story notable beyond the age of the bug is how it was found. According to CybersecurityNews, Anthropic's Claude Mythos Preview identified the vulnerability through multi-agent analysis of Squid's FTP state machine, flagging the strchr null terminator behavior immediately. The initial report was filed on April 17, 2026; a fix was merged into Squid version 8 two days later on April 19, and into version 7 on May 17. Squid v7.6, which ships the patch, released on June 8, 2026. The fix itself is a single-line null check added before the strchr call.

The honest caveat is that a CVSS 6.5 rating reflects real constraints: the attacker must already be a legitimate proxy user and must control an FTP server reachable from the proxy. HTTPS traffic is unaffected, since it travels through CONNECT tunnels. A public proof-of-concept exists on GitHub, but no in-the-wild exploitation had been reported as of publication. What the reporting does not give you is any estimate of how many Squid deployments remain unpatched, or how quickly enterprises and ISPs are likely to apply v7.6.

The forward-looking angle here is less about this specific bug than about the auditing pattern. A 29-year-old bug in a widely deployed open-source proxy, rooted in a subtle C standard behavior, was caught not by a manual code audit but by an AI agent running through a state machine. If that pattern holds, legacy codebases with long-dormant C parsing code may be the next systematic target for AI-assisted security research.