Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody.
Not much information available but this CVE itself only appears to be
information disclosure, and apparently no public fix yet.
4.15 is in stable now.
> This can be leveraged as part of a chain for remote code execution as nobody.
This will get a GLSA, new GLSA request filed.
This issue was resolved and addressed in
GLSA 202105-14 at https://security.gentoo.org/glsa/202105-14
by GLSA coordinator Thomas Deutschmann (whissi).