{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33526", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.830Z", "datePublished": "2026-03-26T00:16:12.195Z", "dateUpdated": "2026-03-26T18:20:40.309Z"}, "containers": {"cna": {"title": "Squid vulnerable to Denial of Service in ICP Request handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-826", "lang": "en", "description": "CWE-826: Premature Release of Resource During Expected Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg"}, {"name": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91", "tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91"}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"version": "< 7.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:16:12.195Z"}, "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch."}], "source": {"advisory": "GHSA-hpfx-h48q-gvwg", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/25/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-26T00:24:58.639Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:20:32.942486Z", "id": "CVE-2026-33526", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:20:40.309Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/25/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-26T00:24:58.639Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:20:32.942486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:20:37.588Z"}}], "cna": {"title": "Squid vulnerable to Denial of Service in ICP Request handling", "source": {"advisory": "GHSA-hpfx-h48q-gvwg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"status": "affected", "version": "< 7.5"}]}], "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg", "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91", "name": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-826", "description": "CWE-826: Premature Release of Resource During Expected Lifetime"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:16:12.195Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33526", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:20:40.309Z", "dateReserved": "2026-03-20T18:05:11.830Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T00:16:12.195Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch."}], "id": "CVE-2026-33526", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T01:16:27.877", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91"}, {"source": "security-advisories@github.com", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/25/2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}, {"lang": "en", "value": "CWE-826"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling", "id": "2451574", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451574"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in Squid. A remote attacker can exploit a heap Use-After-Free vulnerability when handling ICP (Internet Cache Protocol) traffic. This allows them to perform a reliable and repeatable Denial of Service (DoS) attack, making the Squid service unavailable. This attack is limited to deployments where ICP support is explicitly enabled."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, disable ICP support in Squid by ensuring that `icp_port` is set to `0` in the `squid.conf` configuration file. This will prevent Squid from processing ICP traffic and eliminate the attack vector. After modifying the configuration, the Squid service must be restarted for the changes to take effect."}, "name": "CVE-2026-33526", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "squid:4/squid", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T00:16:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33526\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33526\nhttp://www.openwall.com/lists/oss-security/2026/03/25/2\nhttps://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg"], "statement": "Important: A heap Use-After-Free vulnerability in Squid's ICP handling can lead to a denial of service. This flaw affects Red Hat products where the Squid proxy is configured to explicitly enable Internet Cache Protocol (ICP) support by setting a non-zero `icp_port`. Deployments with default configurations, where ICP is typically disabled, are not affected.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "squid", "source": "cna", "vendor": "squid-cache"}, "product": "squid", "vendor": "squid-cache"}], "analysis": {"en": {"generated_at": "2026-03-26T04:43:56.927110+00:00", "value": {"mitigation_remediation": ["Upgrade Squid to version 7.5 or later.", "If ICP support is not required, set icp_port to 0 to disable ICP traffic."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects all Squid Cache installations prior to version 7.5 that have ICP support enabled. Any deployment where the configuration specifies a non\u2011zero icp_port is susceptible. Starting with Squid 7.5, the issue has been patched.", "description_and_impact": "Squid, a widely used caching proxy, contains a heap use\u2011after\u2011free flaw in the handling of ICP traffic. When an attacker sends crafted ICP requests to a server that has ICP enabled (icp_port set to a non\u2011zero value), the server can be forced to dereference freed memory. The resulting crash or hang brings the proxy to a halt, denying legitimate users access to cached or proxied web content. The vulnerability is identified as a use\u2011after\u2011free (CWE\u2011416) and an improper implementation of algorithmic logic (CWE\u2011826).", "risk_and_exploitability": "The base CVSS score of 9.2 denotes a high severity. Although EPSS information is unavailable and the vulnerability has not yet been listed in the CISA KEV catalog, the remote nature of the attack and the precision of the trigger mean that an adversary with access to the ICP port can reliably subvert service availability. The attack requires only that a target run a vulnerable Squid instance with ICP enabled; no authentication or special privileges are needed."}}}}, "created": "2026-03-26T11:30:58.476452+00:00", "updated": "2026-03-26T12:09:00.343829+00:00", "vendors": ["squid-cache", "squid-cache$PRODUCT$squid"]}