{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33526", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.830Z", "datePublished": "2026-03-26T00:16:12.195Z", "dateUpdated": "2026-03-26T18:20:40.309Z"}, "containers": {"cna": {"title": "Squid vulnerable to Denial of Service in ICP Request handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-826", "lang": "en", "description": "CWE-826: Premature Release of Resource During Expected Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg"}, {"name": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91", "tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91"}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"version": "< 7.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:16:12.195Z"}, "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch."}], "source": {"advisory": "GHSA-hpfx-h48q-gvwg", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/25/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-26T00:24:58.639Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:20:32.942486Z", "id": "CVE-2026-33526", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:20:40.309Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/25/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-26T00:24:58.639Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:20:32.942486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:20:37.588Z"}}], "cna": {"title": "Squid vulnerable to Denial of Service in ICP Request handling", "source": {"advisory": "GHSA-hpfx-h48q-gvwg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"status": "affected", "version": "< 7.5"}]}], "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg", "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91", "name": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-826", "description": "CWE-826: Premature Release of Resource During Expected Lifetime"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:16:12.195Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33526", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:20:40.309Z", "dateReserved": "2026-03-20T18:05:11.830Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T00:16:12.195Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F62FE66-3319-4718-BD42-B374264D81E8", "versionEndExcluding": "7.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch."}, {"lang": "es", "value": "Squid es un proxy de almacenamiento en cach\u00e9 para la Web. Antes de la versi\u00f3n 7.5, debido a un uso despu\u00e9s de liberaci\u00f3n (Use-After-Free) en el heap, Squid es vulnerable a denegaci\u00f3n de servicio al manejar tr\u00e1fico ICP. Este problema permite a un atacante remoto realizar un ataque de denegaci\u00f3n de servicio fiable y repetible contra el servicio Squid utilizando el protocolo ICP. Este ataque se limita a implementaciones de Squid que habilitan expl\u00edcitamente el soporte ICP (es decir, configuran un 'icp_port' distinto de cero). Este problema _no puede_ mitigarse denegando consultas ICP utilizando reglas de 'icp_access'. La versi\u00f3n 7.5 contiene un parche."}], "id": "CVE-2026-33526", "lastModified": "2026-03-31T01:18:03.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T01:16:27.877", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/03/25/2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}, {"lang": "en", "value": "CWE-826"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling", "id": "2451574", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451574"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in Squid. A remote attacker can exploit a heap Use-After-Free vulnerability when handling ICP (Internet Cache Protocol) traffic. This allows them to perform a reliable and repeatable Denial of Service (DoS) attack, making the Squid service unavailable. This attack is limited to deployments where ICP support is explicitly enabled."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, disable ICP support in Squid by ensuring that `icp_port` is set to `0` in the `squid.conf` configuration file. This will prevent Squid from processing ICP traffic and eliminate the attack vector. After modifying the configuration, the Squid service must be restarted for the changes to take effect."}, "name": "CVE-2026-33526", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "squid:4/squid", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T00:16:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33526\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33526\nhttp://www.openwall.com/lists/oss-security/2026/03/25/2\nhttps://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg"], "statement": "Important: A heap Use-After-Free vulnerability in Squid's ICP handling can lead to a denial of service. This flaw affects Red Hat products where the Squid proxy is configured to explicitly enable Internet Cache Protocol (ICP) support by setting a non-zero `icp_port`. Deployments with default configurations, where ICP is typically disabled, are not affected.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "squid", "source": "cna", "vendor": "squid-cache"}, "product": "squid", "vendor": "squid-cache"}], "analysis": {"en": {"generated_at": "2026-03-31T06:07:10.850666+00:00", "value": {"mitigation_remediation": ["Upgrade Squid to a version 7.5 or newer to apply the patch that fixes the heap use\u2011after\u2011free bug.", "If an upgrade cannot be performed immediately, disable ICP support by setting icp_port to 0 or removing ICP from the configuration, which stops the service from listening on that port.", "Verify that firewall or icp_access rules do not inadvertently allow traffic, as they do not mitigate the issue."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Products affected are Squid caching proxy versions earlier than 7.5. The vulnerability applies only to configurations that have ICP enabled, i.e., a non\u2011zero icp_port value. No other products or vendor versions are reported as affected.", "description_and_impact": "Squid, the Web caching proxy, suffers from a heap use\u2011after\u2011free error that can be triggered by crafted ICP (Internet Cache Protocol) requests. A remote attacker able to reach the ICP service can cause the Squid process to crash, resulting in a reliable denial of service. The flaw is a memory safety defect and therefore a high\u2011severity issue.", "risk_and_exploitability": "The CVSS score of 9.2 indicates critical severity, while the EPSS score of 2\u202f% suggests a relatively low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker with network reach to the ICP port can exploit the flaw; local privileges are not required. Successful exploitation results in a service crash and downtime until a restart."}}}}, "created": "2026-03-26T11:30:58.476452+00:00", "updated": "2026-03-31T20:09:11.472063+00:00", "vendors": ["squid-cache", "squid-cache$PRODUCT$squid"]}