Squid ICP Use-After-Free Flaws Enable Remote Denial of Service
Two high-severity vulnerabilities, CVE-2026-32748 and CVE-2026-33526, were disclosed in Squid that allow remote denial-of-service attacks through malformed Internet Cache Protocol (ICP) traffic. The flaws stem from heap use-after-free conditions in both ICP response and ICP request handling, with one advisory also citing premature resource release. Affected systems are Squid deployments running versions prior to 7.5.
The bugs are only exploitable where administrators have explicitly enabled ICP by setting a non-zero icp_port, and the advisories warn that icp_access rules do not mitigate the issue. Squid 7.5 contains the fixes, and the disclosures reference upstream patches, a GitHub security advisory, and an Openwall oss-security post. Organizations using Squid with ICP enabled should prioritize upgrading and review whether ICP is necessary in exposed environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-32748 and CVE-2026-33526 are publicly disclosed
Two high-severity Squid vulnerabilities, CVE-2026-32748 and CVE-2026-33526, were publicly documented with references to a fixing commit, GitHub security advisory, and an Openwall oss-security post. The advisories noted that icp_access rules do not mitigate the issues.
Squid fixes two ICP-related DoS flaws in version 7.5
Squid released version 7.5 to fix two remote denial-of-service vulnerabilities in ICP request and response handling, both caused by heap use-after-free conditions. The flaws affect versions prior to 7.5 and are exploitable only when ICP support is explicitly enabled with a non-zero icp_port.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Squid ICP Request Handling Flaws Enable Remote Denial of Service
Squid disclosed two denial-of-service vulnerabilities in its Internet Cache Protocol (ICP) request handling, tracked as **CVE-2026-33526** and **CVE-2026-32748**, that let remote attackers reliably and repeatedly crash the proxy service. The bugs stem from memory-safety issues including a heap use-after-free and, in one case, premature resource release, and affect **Squid 3.x through 7.4** when ICP support is explicitly enabled with a non-zero `icp_port`. The project said **`icp_access` rules do not mitigate either flaw**. Fixes were released in **Squid 7.5**, with an additional patch published for Squid 7, and administrators unable to upgrade were advised to disable ICP or set `icp_port 0`. The vulnerabilities were credited to **Joshua Rogers** and **Asim Viladi Oglu Manizada** for CVE-2026-33526, and **Alex Rousskov** of The Measurement Factory for CVE-2026-32748.
Mar 28, 2026
Squid ICP Flaws Expose Proxies to DoS and Memory Disclosure
Squid disclosed three security issues in its Internet Cache Protocol (ICP) request handling, including **CVE-2026-33515**, an out-of-bounds read that can leak small amounts of process memory in error responses to malformed ICP requests. The memory disclosure bug affects Squid versions **3.0 through 7.4** when ICP support is explicitly enabled with a non-zero `icp_port`, and the project said `icp_access` rules do not mitigate the issue. The flaw was reported and fixed by Joshua Rogers of ZeroPath and Alex Rousskov of The Measurement Factory. The advisories also include **SQUID-2026:1** and **SQUID-2026:2**, both describing denial-of-service conditions in ICP request handling, indicating a broader weakness in how Squid processes ICP traffic. Squid said the memory disclosure issue is fixed in **version 7.5**, and it published a patch for supported **7.x** stable releases; administrators that cannot patch were advised to disable ICP or set `icp_port 0` to remove exposure.
May 25, 2026
Critical Information Disclosure Vulnerability in Squid Proxy via Error Handling (CVE-2025-62168)
A critical vulnerability, tracked as CVE-2025-62168, has been identified in Squid, a widely used web caching proxy. This flaw, which carries a maximum CVSS score of 10.0, allows for the leakage of HTTP authentication credentials and security tokens through improper error handling. The vulnerability affects all Squid versions prior to 7.2, where a failure to redact sensitive information in error messages can result in information disclosure. Attackers can exploit this issue remotely, enabling them to bypass browser security protections and obtain credentials used by trusted clients. The vulnerability does not require Squid to be configured with HTTP authentication, broadening the potential attack surface. Scripts can leverage this flaw to extract credentials or security tokens that are used internally by web applications relying on Squid for backend load balancing. The risk is particularly severe for organizations using Squid as a reverse proxy or in environments where sensitive authentication data is transmitted. The vulnerability was disclosed publicly in October 2025, with security advisories highlighting the ease of remote exploitation. Administrators are urged to upgrade to Squid version 7.2, which contains the necessary fix to address this issue. As a temporary mitigation, disabling debug information in administrator mailto links by setting 'email_err_data off' in the squid.conf configuration file is recommended. The vulnerability's critical rating underscores the urgency for immediate remediation to prevent potential credential theft and unauthorized access. Security researchers emphasize that the flaw could be used in targeted attacks against organizations with exposed Squid proxies. The issue was reported through security advisories and has been acknowledged by the Squid development team. Organizations are advised to review their proxy configurations and apply the patch as soon as possible. The vulnerability highlights the importance of proper error handling and redaction of sensitive data in security-critical infrastructure. Failure to address this flaw could result in significant data breaches or compromise of internal systems. The disclosure has prompted widespread attention in the cybersecurity community, with multiple advisories and technical analyses published to assist defenders. The incident serves as a reminder of the risks associated with misconfigured or outdated proxy services in enterprise environments.
Mar 21, 2026