Squid ICP Flaws Expose Proxies to DoS and Memory Disclosure
Squid disclosed three security issues in its Internet Cache Protocol (ICP) request handling, including CVE-2026-33515, an out-of-bounds read that can leak small amounts of process memory in error responses to malformed ICP requests. The memory disclosure bug affects Squid versions 3.0 through 7.4 when ICP support is explicitly enabled with a non-zero icp_port, and the project said icp_access rules do not mitigate the issue. The flaw was reported and fixed by Joshua Rogers of ZeroPath and Alex Rousskov of The Measurement Factory.
The advisories also include SQUID-2026:1 and SQUID-2026:2, both describing denial-of-service conditions in ICP request handling, indicating a broader weakness in how Squid processes ICP traffic. Squid said the memory disclosure issue is fixed in version 7.5, and it published a patch for supported 7.x stable releases; administrators that cannot patch were advised to disable ICP or set icp_port 0 to remove exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
GitHub republishes Squid security advisories including SQUID-2026:3
GitHub security advisories for the squid-cache/squid project listed SQUID-2026:3 alongside related ICP-handling advisories SQUID-2026:1 and SQUID-2026:2. This reflects broader publication of the Squid advisory set through GitHub's advisory channel.
Squid publishes advisory SQUID-2026:3 and releases fixes for CVE-2026-33515
Squid published security advisory SQUID-2026:3 for CVE-2026-33515, warning that invalid ICP requests can trigger error responses that leak small amounts of memory containing potentially sensitive information. Squid said icp_access rules do not mitigate the issue, recommended disabling ICP or setting "icp_port 0" as a workaround, and released a fix in Squid 7.5 plus a patch for Squid 7 stable releases.
ZeroPath and The Measurement Factory discover and fix CVE-2026-33515
Joshua Rogers of ZeroPath and Alex Rousskov of The Measurement Factory discovered and fixed an out-of-bounds read vulnerability in Squid ICP message handling, later assigned CVE-2026-33515. The flaw affects Squid versions 3.0 through 7.4 when ICP is explicitly enabled with a non-zero icp_port.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
SQUID-2026:1 Denial of Service in ICP Request handling · Advisory · squid-cache/squid · GitHub
github.com
Open sourceSQUID-2026:2 Denial of Service in ICP Request handling · Advisory · squid-cache/squid · GitHub
github.com
Open sourceSQUID-2026:3 Out of Bounds Read in ICP message handling · Advisory · squid-cache/squid · GitHub
github.com
Open sourceSecurity Advisories · squid-cache/squid · GitHub
github.com
Open sourceoss-sec: [ADVISORY] SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515)
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Squid ICP Request Handling Flaws Enable Remote Denial of Service
Squid disclosed two denial-of-service vulnerabilities in its Internet Cache Protocol (ICP) request handling, tracked as **CVE-2026-33526** and **CVE-2026-32748**, that let remote attackers reliably and repeatedly crash the proxy service. The bugs stem from memory-safety issues including a heap use-after-free and, in one case, premature resource release, and affect **Squid 3.x through 7.4** when ICP support is explicitly enabled with a non-zero `icp_port`. The project said **`icp_access` rules do not mitigate either flaw**. Fixes were released in **Squid 7.5**, with an additional patch published for Squid 7, and administrators unable to upgrade were advised to disable ICP or set `icp_port 0`. The vulnerabilities were credited to **Joshua Rogers** and **Asim Viladi Oglu Manizada** for CVE-2026-33526, and **Alex Rousskov** of The Measurement Factory for CVE-2026-32748.
Mar 28, 2026
Squid ICP Use-After-Free Flaws Enable Remote Denial of Service
Two high-severity vulnerabilities, **CVE-2026-32748** and **CVE-2026-33526**, were disclosed in **Squid** that allow remote denial-of-service attacks through malformed **Internet Cache Protocol (ICP)** traffic. The flaws stem from heap **use-after-free** conditions in both ICP response and ICP request handling, with one advisory also citing premature resource release. Affected systems are Squid deployments running versions prior to **7.5**. The bugs are only exploitable where administrators have explicitly enabled ICP by setting a non-zero `icp_port`, and the advisories warn that `icp_access` rules do **not** mitigate the issue. Squid **7.5** contains the fixes, and the disclosures reference upstream patches, a GitHub security advisory, and an Openwall `oss-security` post. Organizations using Squid with ICP enabled should prioritize upgrading and review whether ICP is necessary in exposed environments.
Mar 26, 2026
Critical Information Disclosure Vulnerability in Squid Proxy via Error Handling (CVE-2025-62168)
A critical vulnerability, tracked as CVE-2025-62168, has been identified in Squid, a widely used web caching proxy. This flaw, which carries a maximum CVSS score of 10.0, allows for the leakage of HTTP authentication credentials and security tokens through improper error handling. The vulnerability affects all Squid versions prior to 7.2, where a failure to redact sensitive information in error messages can result in information disclosure. Attackers can exploit this issue remotely, enabling them to bypass browser security protections and obtain credentials used by trusted clients. The vulnerability does not require Squid to be configured with HTTP authentication, broadening the potential attack surface. Scripts can leverage this flaw to extract credentials or security tokens that are used internally by web applications relying on Squid for backend load balancing. The risk is particularly severe for organizations using Squid as a reverse proxy or in environments where sensitive authentication data is transmitted. The vulnerability was disclosed publicly in October 2025, with security advisories highlighting the ease of remote exploitation. Administrators are urged to upgrade to Squid version 7.2, which contains the necessary fix to address this issue. As a temporary mitigation, disabling debug information in administrator mailto links by setting 'email_err_data off' in the squid.conf configuration file is recommended. The vulnerability's critical rating underscores the urgency for immediate remediation to prevent potential credential theft and unauthorized access. Security researchers emphasize that the flaw could be used in targeted attacks against organizations with exposed Squid proxies. The issue was reported through security advisories and has been acknowledged by the Squid development team. Organizations are advised to review their proxy configurations and apply the patch as soon as possible. The vulnerability highlights the importance of proper error handling and redaction of sensitive data in security-critical infrastructure. Failure to address this flaw could result in significant data breaches or compromise of internal systems. The disclosure has prompted widespread attention in the cybersecurity community, with multiple advisories and technical analyses published to assist defenders. The incident serves as a reminder of the risks associated with misconfigured or outdated proxy services in enterprise environments.
Mar 21, 2026