Impact
Squid, a widely used web caching proxy, contains a heap use‑after‑free bug that is triggered during ICP response handling. Premature release of resources before their intended lifetime allows a remote attacker to send crafted ICP traffic and cause the service to crash or become unreachable. The crash leads to a complete denial of service for users of the affected proxy. This effect is a result of a memory corruption flaw (CWE‑413, CWE‑416, CWE‑826).
Affected Systems
Installations of Squid older than version 7.5 that have ICP support enabled (icp_port set to a non-zero value) are affected. These are typical server deployments that accept ICP queries for cache coordination. Because the service stops running when the flaw is triggered, clients connecting through the proxy would experience service interruption. The latter statement is inferred from the nature of a daemon crash.
Risk and Exploitability
The vulnerability scores 8.7 on the CVSS scale, indicating high severity. The EPSS score of 9 % indicates a moderate likelihood of exploitation in the wild. The issue is not currently listed in the CISA KEV catalog, implying no known active exploitation. The attack vector is remote: an adversary can trigger the crash by sending malformed ICP packets to the affected Squid instance. Since icp_access rules cannot mitigate it, the only reliable protection is to upgrade to Squid 7.5 or later, or to disable ICP support entirely.
OpenCVE Enrichment
Ubuntu USN