CVE-2026-32748
Use-After-Free in Squid ICP Handling Causes Denial of Service
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| squid-cache | squid | to 7.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-826 | The product releases a resource that is still intended to be used by itself or another actor. |
| CWE-413 | The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling ICP support entirely or setting the `icp_port` configuration to 0 in your Squid configuration file.
This will prevent Squid from handling ICP traffic, which is the vector for this Denial of Service vulnerability.
Note that denying ICP queries using `icp_access` rules does not mitigate this vulnerability.
The recommended permanent fix is to upgrade Squid to version 7.5 or later, where this vulnerability has been addressed.
If upgrading immediately is not possible, applying available patches for stable releases is advised.
Can you explain this vulnerability to me?
CVE-2026-32748 is a high-severity Denial of Service (DoS) vulnerability in the Squid caching proxy, affecting versions prior to 7.5 when handling ICP (Internet Cache Protocol) traffic.
The vulnerability arises from improper resource management, including premature release of resources during their expected lifetime and heap Use-After-Free bugs. Specifically, Squid incorrectly manages the lifetime of HttpRequest objects during ICP query processing, leading to use-after-free conditions.
This flaw allows a remote attacker to reliably and repeatedly cause a Denial of Service by exploiting ICP request handling in Squid deployments that have ICP support explicitly enabled via a non-zero icp_port configuration.
The vulnerability cannot be mitigated by denying ICP queries using icp_access rules and was fixed in Squid version 7.5 by replacing raw pointer usage with smart pointers and improving resource locking and lifetime management.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to perform a reliable and repeatable Denial of Service (DoS) attack against the Squid service.
The impact is primarily on availability, as the attacker can disrupt Squid's proxy service by exploiting the ICP protocol handling bugs.
No privileges or user interaction are required for exploitation, making it easier for attackers to cause service disruption remotely.
The vulnerability only affects Squid deployments with ICP support enabled (non-zero icp_port). Systems without ICP enabled or with icp_port set to 0 are not vulnerable.
Workarounds include disabling ICP support entirely or setting icp_port to 0 until the system is upgraded to Squid version 7.5 or later.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect if your Squid installation is vulnerable to CVE-2026-32748, you need to check whether ICP support is enabled and which version of Squid you are running.
Specifically, you can run the following command to check if ICP is enabled and on which port:
`squid -k parse 2>&1 | grep -E "(icp|udp)_port" | tail -n1`
If this command returns a non-zero port number for `icp_port`, your Squid instance is vulnerable if it is running a version prior to 7.5. Versions 3.0 through 7.4 with a non-zero ICP port are affected.
If the port is zero or ICP is not enabled, the vulnerability does not apply.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-32748 is a high-severity Denial of Service (DoS) vulnerability that impacts the availability of the Squid caching proxy service when ICP support is enabled. The vulnerability allows remote attackers to disrupt service without requiring privileges or user interaction.
The vulnerability primarily affects availability and does not impact confidentiality or integrity of data handled by Squid.
Since common standards and regulations like GDPR and HIPAA emphasize the protection of confidentiality, integrity, and availability of data, this vulnerability could affect compliance by causing service outages and impacting availability requirements.
However, there is no indication from the provided information that this vulnerability leads to unauthorized data disclosure or modification, so its impact on confidentiality and integrity compliance requirements is minimal or none.
Organizations relying on Squid with ICP enabled should consider this vulnerability as a risk to service availability and take appropriate mitigation steps such as upgrading to Squid 7.5 or disabling ICP support to maintain compliance with availability requirements in relevant standards.