wid-sec-w-2026-0854 · Published 2026-03-24 · View on BSI CERT-Bund ↗

Squid: Multiple Vulnerabilities allow Denial of Service

CVSS 9.2 CRITICAL

Risk Summary

Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.

CVEs (3)

CVE-2026-32748 CVE-2026-33515 CVE-2026-33526

Affected Vendors

Open Source Oracle RESF Red Hat Ubuntu

Affected Products (2)

Open Source · Squid <7.5

Open Source · Squid 7.5

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more