Critical

Denial of Service in Squid ICP request handling

IdentifiersCVE-2026-33526CWE-416· Use After Free

CVE-2026-33526 is a heap use-after-free vulnerability in Squid's handling of ICP (Internet Cache Protocol) traffic. It affects Squid versions prior to 7.5, with advisory material indicating affected branches include 3.x through 7.4. When ICP support is explicitly enabled, a remote attacker can send crafted ICP traffic that triggers the use-after-free condition during ICP request handling, causing the Squid process to crash. The issue is described by the vendor as enabling a reliable and repeatable denial-of-service attack. Although some discussion noted that use-after-free bugs can sometimes have broader consequences, the provided advisory content specifically characterizes this CVE as a denial-of-service issue. The vendor states that version 7.5 contains the patch, and a fixing commit was published for Squid 7.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to repeatedly crash or otherwise disrupt the Squid service via ICP traffic, resulting in denial of service and loss of proxy availability. The documented impact in the provided sources is service disruption rather than confirmed code execution or data exposure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable ICP support explicitly by configuring icp_port 0 or otherwise ensuring ICP is not enabled. This is the documented workaround. The advisory explicitly states that denying ICP queries with icp_access rules does not mitigate the vulnerability, so access rules alone should not be relied upon.

Remediation

Patch, then assume compromise.

Upgrade Squid to version 7.5 or later, which contains the vendor patch for this vulnerability. For downstream distributions, apply the vendor or distribution-specific fixed package versions; the provided Debian advisory indicates squid 6.13-2+deb13u2 or later for Debian trixie. Where applicable, deploy the upstream fix referenced by commit 8a7d42f9d44befb8fcbbb619505587c8de6a1e91.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

DebianSquidapplication

Squid-CacheSquidapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app

cvefeed high severityNews

Mar 26, 2026

CVE-2026-33526 - Squid vulnerable to Denial of Service in ICP Request handling

A heap use-after-free vulnerability in Squid prior to version 7.5 that allows a remote attacker to cause a reliable denial of service via ICP traffic when ICP support is enabled.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity11

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-33526

NVD

nvd.nist.gov/vuln/detail/CVE-2026-33526

MITRE CWE · CWE-416

Use After Free

Patch

github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91

Vendor Advisory

github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg

Third Party Advisory

openwall.com/lists/oss-security/2026/03/25/2