Squid ICP Request Handling Flaws Enable Remote Denial of Service
Squid disclosed two denial-of-service vulnerabilities in its Internet Cache Protocol (ICP) request handling, tracked as CVE-2026-33526 and CVE-2026-32748, that let remote attackers reliably and repeatedly crash the proxy service. The bugs stem from memory-safety issues including a heap use-after-free and, in one case, premature resource release, and affect Squid 3.x through 7.4 when ICP support is explicitly enabled with a non-zero icp_port.
The project said icp_access rules do not mitigate either flaw. Fixes were released in Squid 7.5, with an additional patch published for Squid 7, and administrators unable to upgrade were advised to disable ICP or set icp_port 0. The vulnerabilities were credited to Joshua Rogers and Asim Viladi Oglu Manizada for CVE-2026-33526, and Alex Rousskov of The Measurement Factory for CVE-2026-32748.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Squid publishes advisory SQUID-2026:1 for CVE-2026-33526
On March 25, 2026, Squid disclosed security advisory SQUID-2026:1 for CVE-2026-33526, warning that a remote attacker could repeatedly crash the service over ICP if a non-zero icp_port is configured. The advisory noted that icp_access rules do not mitigate the issue and identified Joshua Rogers and Asim Viladi Oglu Manizada as discoverers.
Squid fixes CVE-2026-33526 in version 7.5 and publishes a Squid 7 patch
Squid addressed CVE-2026-33526, a denial-of-service flaw in ICP request handling caused by a heap use-after-free bug affecting versions 3.x through 7.4 when ICP is enabled. The project fixed the issue in Squid 7.5 and also published a patch commit for Squid 7.
Squid fixes CVE-2026-32748 in version 7.5 and publishes a Squid 7 patch
For CVE-2026-32748, Squid released a fix in version 7.5 and published an additional patch for Squid 7. The flaw was discovered and fixed by Alex Rousskov of The Measurement Factory.
Squid publishes advisory SQUID-2026:2 for CVE-2026-32748
Squid disclosed security advisory SQUID-2026:2 for CVE-2026-32748, a denial-of-service vulnerability in ICP request handling caused by premature resource release and heap use-after-free bugs. The issue affects Squid 3.x through 7.4 when ICP support is explicitly enabled, and the advisory recommends disabling ICP or setting icp_port 0 as a workaround.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
oss-sec: Re: [ADVISORY] SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526)
seclists.org
Open sourceSquid security advisory (AV26-284) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceoss-sec: [ADVISORY] SQUID-2026:2 Denial of Service in ICP Request handling (CVE-2026-32748)
seclists.org
Open sourceoss-sec: [ADVISORY] SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526)
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Squid ICP Use-After-Free Flaws Enable Remote Denial of Service
Two high-severity vulnerabilities, **CVE-2026-32748** and **CVE-2026-33526**, were disclosed in **Squid** that allow remote denial-of-service attacks through malformed **Internet Cache Protocol (ICP)** traffic. The flaws stem from heap **use-after-free** conditions in both ICP response and ICP request handling, with one advisory also citing premature resource release. Affected systems are Squid deployments running versions prior to **7.5**. The bugs are only exploitable where administrators have explicitly enabled ICP by setting a non-zero `icp_port`, and the advisories warn that `icp_access` rules do **not** mitigate the issue. Squid **7.5** contains the fixes, and the disclosures reference upstream patches, a GitHub security advisory, and an Openwall `oss-security` post. Organizations using Squid with ICP enabled should prioritize upgrading and review whether ICP is necessary in exposed environments.
Mar 26, 2026
Squid ICP Flaws Expose Proxies to DoS and Memory Disclosure
Squid disclosed three security issues in its Internet Cache Protocol (ICP) request handling, including **CVE-2026-33515**, an out-of-bounds read that can leak small amounts of process memory in error responses to malformed ICP requests. The memory disclosure bug affects Squid versions **3.0 through 7.4** when ICP support is explicitly enabled with a non-zero `icp_port`, and the project said `icp_access` rules do not mitigate the issue. The flaw was reported and fixed by Joshua Rogers of ZeroPath and Alex Rousskov of The Measurement Factory. The advisories also include **SQUID-2026:1** and **SQUID-2026:2**, both describing denial-of-service conditions in ICP request handling, indicating a broader weakness in how Squid processes ICP traffic. Squid said the memory disclosure issue is fixed in **version 7.5**, and it published a patch for supported **7.x** stable releases; administrators that cannot patch were advised to disable ICP or set `icp_port 0` to remove exposure.
May 25, 2026
Squid Proxy Patches Squidbleed Memory Leak and Cache Digest Buffer Overflow
Squid maintainers released **Squid 7.6** to fix two severe vulnerabilities, including **"Squidbleed"** tracked as `CVE-2026-47729`, a heap out-of-bounds read in the proxy's FTP gateway code. The flaw can be triggered when Squid parses a malformed FTP `LIST` response from an attacker-controlled or misbehaving FTP server, causing memory disclosure from reused 4 KB buffers that may contain stale data from unrelated sessions, including HTTP `Authorization` headers. Reports said the issue affects Squid's default configuration because FTP support is enabled by default and TCP port `21` is permitted by the default `Safe_ports` ACL, although exploitation depends on the proxy being able to reach the hostile FTP server and is most relevant to cleartext HTTP or TLS-terminating proxy deployments. The update also fixes `CVE-2026-50012`, a heap-based buffer overflow caused by malicious replies to `cache_digest` requests from a trusted server in builds compiled with `--enable-cache-digests`. That bug can crash Squid and may allow arbitrary code execution. The FTP parsing bug was patched by adding a null-terminator check before `strchr`, and administrators were urged to upgrade immediately to **Squid 7.6**; guidance also recommended disabling FTP support entirely unless it is explicitly required.
Jun 22, 2026