Description
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
Published: 2026-03-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Squid, a widely used web caching proxy, contains a heap use‑after‑free bug triggered during ICP response handling. The bug arises from premature release of resources before their intended lifetime, allowing remote attackers to send crafted ICP traffic and cause the service to crash or become unreachable. The impact is a complete denial of service to all users of the affected proxy.

Affected Systems

Any installation of Squid older than version 7.5 that has ICP enabled (icp_port set to a non‑zero value). This includes typical server deployments that accept ICP queries for cache coordination. Clients interacting with such a proxy would experience service interruption once the vulnerable process terminates.

Risk and Exploitability

The vulnerability scores 8.7 on the CVSS scale, indicating a high severity. The exploit probability according to EPSS is low at <1 %, and the issue is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Despite the limited probability, the attack vector is remote and straightforward: an adversary can trigger the crash by sending malformed ICP packets. Because the issue cannot be mitigated by access rules such as icp_access, the only definitive protection is to update the software.

Generated by OpenCVE AI on April 22, 2026 at 03:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Squid update to version 7.5 or later, which patches the heap use‑after‑free flaw.
  • If an update is not immediately feasible, restrict incoming ICP traffic to trusted hosts or drop the ICP service entirely by setting icp_port to zero, acknowledging that this is a temporary measure rather than a fix.
  • Implement monitoring and automatic restart of the Squid service to reduce downtime caused by crashes, or configure an intrusion detection system to alert on anomalous ICP traffic.

Generated by OpenCVE AI on April 22, 2026 at 03:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8157-1 Squid vulnerabilities
History

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Squid-cache
Squid-cache squid
Vendors & Products Squid-cache
Squid-cache squid

Thu, 26 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
Title Squid has Denial of Service in ICP Response handling
Weaknesses CWE-413
CWE-416
CWE-826
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

Squid-cache Squid
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T15:02:31.962Z

Reserved: 2026-03-13T18:53:03.531Z

Link: CVE-2026-32748

cve-icon Vulnrichment

Updated: 2026-03-26T00:24:52.135Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T01:16:26.850

Modified: 2026-03-26T20:43:15.687

Link: CVE-2026-32748

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T00:11:01Z

Links: CVE-2026-32748 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:45:06Z

Weaknesses