CVE-2026-33526 — Use After Free in Squid

CWE-416 — Use After Free CWE-826 — Premature Release of Resource During Expected Lifetime CWE-825 — Expired Pointer Dereference9 documents9 sources

Severity

9.2CRITICALNVD

EPSS

1.7%

top 17.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid-cache Squid Squid

Timeline

PublishedMar 26

Latest updateApr 8

Description

Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rule…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Packages3 packages

▶CVEListV5squid-cache/squid< 7.5

▶NVDsquid-cache/squid< 7.5

▶Debiansquid/squid< 7.5-1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33526: Squid is a caching proxy for the Web↗2026-03-26

▶

CVEList

Squid vulnerable to Denial of Service in ICP Request handling↗2026-03-26

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2026-04-08

▶

Red Hat

squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling↗2026-03-26

▶

Microsoft

Squid vulnerable to Denial of Service in ICP Request handling↗2026-03-10

▶

Debian

CVE-2026-33526: squid - Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-Afte...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33526 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling↗2026-03-26

▶