Description
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Published: 2026-03-26
Score: 9.2 Critical
EPSS: 2.1% Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Squid, the Web caching proxy, suffers from a heap use‑after‑free error that can be triggered by crafted ICP (Internet Cache Protocol) requests. A remote attacker able to reach the ICP service can cause the Squid process to crash, resulting in a reliable denial of service. The flaw is a memory safety defect and therefore a high‑severity issue.

Affected Systems

Products affected are Squid caching proxy versions earlier than 7.5. The vulnerability applies only to configurations that have ICP enabled, i.e., a non‑zero icp_port value. No other products or vendor versions are reported as affected.

Risk and Exploitability

The CVSS score of 9.2 indicates critical severity, while the EPSS score of 2 % suggests a relatively low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. An attacker with network reach to the ICP port can exploit the flaw; local privileges are not required. Successful exploitation results in a service crash and downtime until a restart.

Generated by OpenCVE AI on March 31, 2026 at 06:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Squid to a version 7.5 or newer to apply the patch that fixes the heap use‑after‑free bug.
  • If an upgrade cannot be performed immediately, disable ICP support by setting icp_port to 0 or removing ICP from the configuration, which stops the service from listening on that port.
  • Verify that firewall or icp_access rules do not inadvertently allow traffic, as they do not mitigate the issue.

Generated by OpenCVE AI on March 31, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8157-1 Squid vulnerabilities
History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Squid-cache
Squid-cache squid
Vendors & Products Squid-cache
Squid-cache squid

Thu, 26 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Title Squid vulnerable to Denial of Service in ICP Request handling
Weaknesses CWE-416
CWE-826
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Squid-cache Squid
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:20:40.309Z

Reserved: 2026-03-20T18:05:11.830Z

Link: CVE-2026-33526

cve-icon Vulnrichment

Updated: 2026-03-26T00:24:58.639Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T01:16:27.877

Modified: 2026-03-31T01:18:03.043

Link: CVE-2026-33526

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T00:16:12Z

Links: CVE-2026-33526 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:09:11Z

Weaknesses