CVE-2026-33526
published 2026-03-26CVE-2026-33526: Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic…
PriorityP351high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
8.94%
94.6th percentile
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 7.5-1 (forky) | squid 7.5-1 (forky) |
| msrc | azl3_squid_6.13-3_on_azure_linux_3.0 | — | — |
| squid-cache | squid | < 7.5 | 7.5 |
| squid | squid | >= 0 < 7.5-1 | 7.5-1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.2CRITICAL
vendor_debian9.2CRITICAL
vendor_redhat9.2CRITICAL
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-33526: Squid is a caching proxy for the Web
osv·2026-03-26·CVSS 9.2
CVE-2026-33526 [CRITICAL] CVE-2026-33526: Squid is a caching proxy for the Web
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2026-04-08
CVE-2026-32748 Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
It was discovered that Squid incorrectly handled certain ICP traffic. In
environments where ICP support is enabled, a remote attacker could use this
issue to cause Squid to crash, resulting in a denial of service, or obtain
small amounts of sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling
vendor_redhat·2026-03-26·CVSS 9.2
CVE-2026-33526 [CRITICAL] CWE-825 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling
squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
A flaw was found in Squid. A remote attacker can exploit a heap Use-After-Free vulnerability when handling ICP (Internet Cache Protocol) traffic. This allows them to perform a rel
Microsoft
Squid vulnerable to Denial of Service in ICP Request handling
vendor_msrc·2026-03-10·CVSS 7.5
CVE-2026-33526 [CRITICAL] CWE-416 Squid vulnerable to Denial of Service in ICP Request handling
Squid vulnerable to Denial of Service in ICP Request handling
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Debian
CVE-2026-33526: squid - Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-Afte...
vendor_debian·2026·CVSS 9.2
CVE-2026-33526 [CRITICAL] CVE-2026-33526: squid - Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-Afte...
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 7.5-1)
sid: resolved (fixed in 7.5-1)
trixie: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling [fedora-all]
bugzilla·2026-03-26·CVSS 9.2
CVE-2026-33526 [CRITICAL] CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling [fedora-all]
CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-e6a4814a4d (squid-7.5-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-e6a4814a4d
---
FEDORA-2026-c0590bd498 (squid-7.5-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-c0590bd498
Bugzilla
CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling
bugzilla·2026-03-26·CVSS 9.2
CVE-2026-33526 [CRITICAL] CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling
CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:6301 https://access.redhat.com/errata/RHSA-2026:630
Wiz
CVE-2026-33515 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33515 [CRITICAL] CVE-2026-33515 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33515 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 6.9
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
squid
squid34
Sources
NVD
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 26, 2026
Echo Severity MEDIUM No Fix Added at: Mar 26, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 02, 2026
Nix Severity MEDIUM Has Fix Added at:
Wiz
CVE-2026-33526 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33526 [CRITICAL] CVE-2026-33526 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33526 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 9.2
Score
Published March 26, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 82.3
Exploitation Probability (EPSS) 1.7
Affected packages and libraries
squid:4::squid
squid
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Apr 02, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 26, 2026
Echo Severity HIGH No Fix Adde
Wiz
CVE-2026-32748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-32748 [CRITICAL] CVE-2026-32748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32748 :
Squid vulnerability analysis and mitigation
icp_port
icp_access
Source : NVD
## 8.7
Score
Published March 26, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Squid
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 79.5
Exploitation Probability (EPSS) 1.3
Affected packages and libraries
squid:4::squid
squid
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Apr 02, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 26, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 26, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 26, 2026
Echo Severity HIGH No Fix Added at
https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwghttp://www.openwall.com/lists/oss-security/2026/03/25/2https://access.redhat.com/errata/RHSA-2026:10255https://access.redhat.com/errata/RHSA-2026:10256https://access.redhat.com/errata/RHSA-2026:10257https://access.redhat.com/errata/RHSA-2026:11901https://access.redhat.com/errata/RHSA-2026:20564https://access.redhat.com/errata/RHSA-2026:20565https://access.redhat.com/errata/RHSA-2026:20580https://access.redhat.com/errata/RHSA-2026:6301https://access.redhat.com/errata/RHSA-2026:8119https://access.redhat.com/errata/RHSA-2026:8317https://access.redhat.com/errata/RHSA-2026:8880https://access.redhat.com/errata/RHSA-2026:9220https://access.redhat.com/security/cve/CVE-2026-33526https://bugzilla.redhat.com/show_bug.cgi?id=2451574https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33526.json
2026-03-26
Published