CVE-2026-32748Improper Resource Locking in Squid

CWE-413Improper Resource LockingCWE-416Use After FreeCWE-826Premature Release of Resource During Expected Lifetime9 documents9 sources
Severity
8.7HIGHNVD
EPSS
1.3%
top 20.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Squid-cache SquidSquid
Timeline
PublishedMar 26
Latest updateApr 8

Description

Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _can

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Affected Packages3 packages

CVEListV5squid-cache/squid< 7.5
Debiansquid/squid< 7.5-1

Patches

Patch: github.comPatch: github.comPatch: www.openwall.com

🔴Vulnerability Details

2
CVEList
Squid has Denial of Service in ICP Response handling2026-03-26
OSV
CVE-2026-32748: Squid is a caching proxy for the Web2026-03-26

📋Vendor Advisories

4
Ubuntu
Squid vulnerabilities2026-04-08
Red Hat
Squid: Squid: Denial of Service via crafted ICP traffic2026-03-26
Microsoft
Squid has Denial of Service in ICP Response handling2026-03-10
Debian
CVE-2026-32748: squid - Squid is a caching proxy for the Web. Prior to version 7.5, due to premature rel...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-32748 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-32748 Squid: Squid: Denial of Service via crafted ICP traffic2026-03-26