Description
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
Published: 2026-03-26
Score: 8.7 High
EPSS: 8.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Squid, a widely used web caching proxy, contains a heap use‑after‑free bug that is triggered during ICP response handling. Premature release of resources before their intended lifetime allows a remote attacker to send crafted ICP traffic and cause the service to crash or become unreachable. The crash leads to a complete denial of service for users of the affected proxy. This effect is a result of a memory corruption flaw (CWE‑413, CWE‑416, CWE‑826).

Affected Systems

Installations of Squid older than version 7.5 that have ICP support enabled (icp_port set to a non-zero value) are affected. These are typical server deployments that accept ICP queries for cache coordination. Because the service stops running when the flaw is triggered, clients connecting through the proxy would experience service interruption. The latter statement is inferred from the nature of a daemon crash.

Risk and Exploitability

The vulnerability scores 8.7 on the CVSS scale, indicating high severity. The EPSS score of 9 % indicates a moderate likelihood of exploitation in the wild. The issue is not currently listed in the CISA KEV catalog, implying no known active exploitation. The attack vector is remote: an adversary can trigger the crash by sending malformed ICP packets to the affected Squid instance. Since icp_access rules cannot mitigate it, the only reliable protection is to upgrade to Squid 7.5 or later, or to disable ICP support entirely.

Generated by OpenCVE AI on June 30, 2026 at 16:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Squid update to version 7.5 or later, which patches the heap use‑after‑free flaw.
  • If an immediate update is not feasible, disable ICP by setting icp_port to zero to eliminate the attack surface.
  • Optionally restrict inbound ICP traffic to trusted hosts using firewall rules or similar network controls, acknowledging that this is a mitigation rather than a fix.
  • Implement monitoring or an automated restart of the Squid service to minimize downtime in the event a crash occurs.

Generated by OpenCVE AI on June 30, 2026 at 16:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8157-1 Squid vulnerabilities
History

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 26 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Squid-cache
Squid-cache squid
Vendors & Products Squid-cache
Squid-cache squid

Thu, 26 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
Title Squid has Denial of Service in ICP Response handling
Weaknesses CWE-413
CWE-416
CWE-826
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}


Subscriptions

Squid-cache Squid
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:07:41.435Z

Reserved: 2026-03-13T18:53:03.531Z

Link: CVE-2026-32748

cve-icon Vulnrichment

Updated: 2026-03-26T00:24:52.135Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T01:16:26.850

Modified: 2026-06-17T10:36:19.030

Link: CVE-2026-32748

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T00:11:01Z

Links: CVE-2026-32748 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:15:06Z

Weaknesses
  • CWE-413

    Improper Resource Locking

  • CWE-416

    Use After Free

  • CWE-826

    Premature Release of Resource During Expected Lifetime