CVE-2026-32748
published 2026-03-26CVE-2026-32748: Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid…
PriorityP350high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
8.93%
94.6th percentile
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 7.5-1 (forky) | squid 7.5-1 (forky) |
| msrc | azl3_squid_6.13-3_on_azure_linux_3.0 | — | — |
| squid-cache | squid | < 7.5 | 7.5 |
| squid | squid | >= 0 < 7.5-1 | 7.5-1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_redhat8.7HIGH
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2026-04-08
CVE-2026-32748 Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
It was discovered that Squid incorrectly handled certain ICP traffic. In
environments where ICP support is enabled, a remote attacker could use this
issue to cause Squid to crash, resulting in a denial of service, or obtain
small amounts of sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Squid: Squid: Denial of Service via crafted ICP traffic
vendor_redhat·2026-03-26·CVSS 8.7
CVE-2026-32748 [HIGH] CWE-826 Squid: Squid: Denial of Service via crafted ICP traffic
Squid: Squid: Denial of Service via crafted ICP traffic
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
A flaw was found in Squid. A remote attacker can exploit this vulnerability by sending specially crafted ICP (Internet Cache Protocol)
Microsoft
Squid has Denial of Service in ICP Response handling
vendor_msrc·2026-03-10·CVSS 7.5
CVE-2026-32748 [HIGH] CWE-413 Squid has Denial of Service in ICP Response handling
Squid has Denial of Service in ICP Response handling
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Debian
CVE-2026-32748: squid - Squid is a caching proxy for the Web. Prior to version 7.5, due to premature rel...
vendor_debian·2026·CVSS 8.7
CVE-2026-32748 [HIGH] CVE-2026-32748: squid - Squid is a caching proxy for the Web. Prior to version 7.5, due to premature rel...
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 7.5-1)
sid: resolved (fixed in 7.5-1)
trixie: open
OSV
CVE-2026-32748: Squid is a caching proxy for the Web
osv·2026-03-26·CVSS 8.7
CVE-2026-32748 [HIGH] CVE-2026-32748: Squid is a caching proxy for the Web
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33515 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33515 [CRITICAL] CVE-2026-33515 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33515 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 6.9
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
squid
squid34
Sources
NVD
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 26, 2026
Echo Severity MEDIUM No Fix Added at: Mar 26, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 02, 2026
Nix Severity MEDIUM Has Fix Added at:
Wiz
CVE-2026-33526 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33526 [CRITICAL] CVE-2026-33526 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33526 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 9.2
Score
Published March 26, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 82.3
Exploitation Probability (EPSS) 1.7
Affected packages and libraries
squid:4::squid
squid
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Apr 02, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 26, 2026
Echo Severity HIGH No Fix Adde
Wiz
CVE-2026-32748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-32748 [CRITICAL] CVE-2026-32748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32748 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 8.7
Score
Published March 26, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 79.5
Exploitation Probability (EPSS) 1.3
Affected packages and libraries
squid:4::squid
squid
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Apr 02, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 26, 2026
Echo Severity HIGH No Fix Added at
Bugzilla
CVE-2026-32748 squid: Squid: Denial of Service via crafted ICP traffic [fedora-all]
bugzilla·2026-03-26·CVSS 8.7
CVE-2026-32748 [HIGH] CVE-2026-32748 squid: Squid: Denial of Service via crafted ICP traffic [fedora-all]
CVE-2026-32748 squid: Squid: Denial of Service via crafted ICP traffic [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-e6a4814a4d (squid-7.5-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-e6a4814a4d
---
FEDORA-2026-c0590bd498 (squid-7.5-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-c0590bd498
Bugzilla
CVE-2026-32748 Squid: Squid: Denial of Service via crafted ICP traffic
bugzilla·2026-03-26·CVSS 8.7
CVE-2026-32748 [HIGH] CVE-2026-32748 Squid: Squid: Denial of Service via crafted ICP traffic
CVE-2026-32748 Squid: Squid: Denial of Service via crafted ICP traffic
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:6301 ht
https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481bhttps://github.com/squid-cache/squid/security/advisories/GHSA-f9p7-3jqg-hhvqhttp://www.openwall.com/lists/oss-security/2026/03/25/3https://access.redhat.com/errata/RHSA-2026:10255https://access.redhat.com/errata/RHSA-2026:10256https://access.redhat.com/errata/RHSA-2026:10257https://access.redhat.com/errata/RHSA-2026:11901https://access.redhat.com/errata/RHSA-2026:20564https://access.redhat.com/errata/RHSA-2026:20565https://access.redhat.com/errata/RHSA-2026:20580https://access.redhat.com/errata/RHSA-2026:6301https://access.redhat.com/errata/RHSA-2026:8119https://access.redhat.com/errata/RHSA-2026:8317https://access.redhat.com/errata/RHSA-2026:8880https://access.redhat.com/errata/RHSA-2026:9220https://access.redhat.com/security/cve/CVE-2026-32748https://bugzilla.redhat.com/show_bug.cgi?id=2451577https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32748.json
2026-03-26
Published