CVE-2026-33526

Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91	Patch
https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg	Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/03/25/2	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

History

31 Mar 2026, 01:18

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91 -~~	() https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91 - Patch
References	~~() https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg -~~	() https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg - Vendor Advisory
References	~~() http://www.openwall.com/lists/oss-security/2026/03/25/2 -~~	() http://www.openwall.com/lists/oss-security/2026/03/25/2 - Third Party Advisory
First Time		Squid-cache squid Squid-cache
Summary		(es) Squid es un proxy de almacenamiento en caché para la Web. Antes de la versión 7.5, debido a un uso después de liberación (Use-After-Free) en el heap, Squid es vulnerable a denegación de servicio al manejar tráfico ICP. Este problema permite a un atacante remoto realizar un ataque de denegación de servicio fiable y repetible contra el servicio Squid utilizando el protocolo ICP. Este ataque se limita a implementaciones de Squid que habilitan explícitamente el soporte ICP (es decir, configuran un 'icp_port' distinto de cero). Este problema _no puede_ mitigarse denegando consultas ICP utilizando reglas de 'icp_access'. La versión 7.5 contiene un parche.
CPE		cpe:2.3:a:squid-cache:squid::::::::

26 Mar 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 01:16

Updated : 2026-03-31 01:18

NVD link : CVE-2026-33526

Mitre link : CVE-2026-33526

CVE.ORG link : CVE-2026-33526

JSON object : View

Products Affected

squid-cache

squid

CWE

CWE-416

Use After Free

CWE-826

Premature Release of Resource During Expected Lifetime

7.5 /10