CVE-2026-33526
Use-After-Free in Squid ICP Handling Causes Denial of Service
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| squid-cache | squid | to 7.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
| CWE-826 | The product releases a resource that is still intended to be used by itself or another actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33526 is a critical vulnerability in the Squid caching proxy software affecting versions prior to 7.5 when handling ICP (Internet Cache Protocol) traffic.
The root cause is a heap Use-After-Free bug in the ICP request handling code, which allows a remote attacker to reliably and repeatedly crash the Squid service by sending specially crafted ICP packets.
This vulnerability only affects Squid deployments with ICP support explicitly enabled via a non-zero icp_port configuration. Disabling ICP by setting icp_port to 0 mitigates the issue.
Notably, access control rules (icp_access) cannot prevent exploitation of this vulnerability.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to perform a reliable and repeatable Denial of Service (DoS) attack against the Squid service by crashing it when handling ICP traffic.
The impact is a high availability disruption, as the Squid proxy service can be forced to crash repeatedly, potentially causing service outages.
Since the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a significant risk to systems using Squid with ICP enabled.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect if your Squid deployment is vulnerable to CVE-2026-33526, you need to check if ICP support is enabled by verifying the configured ICP port.
You can run the following command to check the ICP port configuration:
- squid -k parse 2>&1 | grep -E "(icp|udp)_port" | tail -n1
If the output shows a non-zero port for icp_port, and your Squid version is prior to 7.5, your system is vulnerable. If icp_port is set to 0, ICP support is disabled and the system is not vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling ICP support entirely by setting the ICP port to 0 in your Squid configuration.
- Set icp_port 0 in your Squid configuration file to disable ICP.
Note that using icp_access rules to deny ICP queries does not mitigate this vulnerability.
The definitive fix is to upgrade Squid to version 7.5 or later, where the vulnerability has been patched.
If upgrading immediately is not possible, disabling ICP support is the recommended workaround.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33526 is a Denial of Service (DoS) vulnerability in the Squid caching proxy related to ICP traffic handling. It causes service crashes but does not impact confidentiality or integrity of data.
Since the vulnerability affects availability only and does not lead to unauthorized data access or data breaches, it does not directly compromise compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or sensitive data.
However, the DoS condition could affect service availability, which may indirectly impact compliance if availability is a regulatory requirement or if service disruption leads to failure in meeting service level agreements or operational continuity standards.