CVE-2026-32748
Received Received - Intake
Use-After-Free in Squid ICP Handling Causes Denial of Service

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32748
EUVD
EUVD-2026-16056
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
squid-cache squid to 7.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-826 The product releases a resource that is still intended to be used by itself or another actor.
CWE-413 The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include disabling ICP support entirely or setting the `icp_port` configuration to 0 in your Squid configuration file.

This will prevent Squid from handling ICP traffic, which is the vector for this Denial of Service vulnerability.

Note that denying ICP queries using `icp_access` rules does not mitigate this vulnerability.

The recommended permanent fix is to upgrade Squid to version 7.5 or later, where this vulnerability has been addressed.

If upgrading immediately is not possible, applying available patches for stable releases is advised.

Executive Summary

CVE-2026-32748 is a high-severity Denial of Service (DoS) vulnerability in the Squid caching proxy, affecting versions prior to 7.5 when handling ICP (Internet Cache Protocol) traffic.

The vulnerability arises from improper resource management, including premature release of resources during their expected lifetime and heap Use-After-Free bugs. Specifically, Squid incorrectly manages the lifetime of HttpRequest objects during ICP query processing, leading to use-after-free conditions.

This flaw allows a remote attacker to reliably and repeatedly cause a Denial of Service by exploiting ICP request handling in Squid deployments that have ICP support explicitly enabled via a non-zero icp_port configuration.

The vulnerability cannot be mitigated by denying ICP queries using icp_access rules and was fixed in Squid version 7.5 by replacing raw pointer usage with smart pointers and improving resource locking and lifetime management.

Impact Analysis

This vulnerability allows a remote attacker to perform a reliable and repeatable Denial of Service (DoS) attack against the Squid service.

The impact is primarily on availability, as the attacker can disrupt Squid's proxy service by exploiting the ICP protocol handling bugs.

No privileges or user interaction are required for exploitation, making it easier for attackers to cause service disruption remotely.

The vulnerability only affects Squid deployments with ICP support enabled (non-zero icp_port). Systems without ICP enabled or with icp_port set to 0 are not vulnerable.

Workarounds include disabling ICP support entirely or setting icp_port to 0 until the system is upgraded to Squid version 7.5 or later.

Detection Guidance

To detect if your Squid installation is vulnerable to CVE-2026-32748, you need to check whether ICP support is enabled and which version of Squid you are running.

Specifically, you can run the following command to check if ICP is enabled and on which port:

`squid -k parse 2>&1 | grep -E "(icp|udp)_port" | tail -n1`

If this command returns a non-zero port number for `icp_port`, your Squid instance is vulnerable if it is running a version prior to 7.5. Versions 3.0 through 7.4 with a non-zero ICP port are affected.

If the port is zero or ICP is not enabled, the vulnerability does not apply.

Compliance Impact

CVE-2026-32748 is a high-severity Denial of Service (DoS) vulnerability that impacts the availability of the Squid caching proxy service when ICP support is enabled. The vulnerability allows remote attackers to disrupt service without requiring privileges or user interaction.

The vulnerability primarily affects availability and does not impact confidentiality or integrity of data handled by Squid.

Since common standards and regulations like GDPR and HIPAA emphasize the protection of confidentiality, integrity, and availability of data, this vulnerability could affect compliance by causing service outages and impacting availability requirements.

However, there is no indication from the provided information that this vulnerability leads to unauthorized data disclosure or modification, so its impact on confidentiality and integrity compliance requirements is minimal or none.

Organizations relying on Squid with ICP enabled should consider this vulnerability as a risk to service availability and take appropriate mitigation steps such as upgrading to Squid 7.5 or disabling ICP support to maintain compliance with availability requirements in relevant standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32748. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart