PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33526 Squid Cache CVE debrief

CVE-2026-33526 is a critical vulnerability in Squid, a caching proxy for the Web, which allows for Denial of Service attacks via ICP traffic. The vulnerability is caused by a heap Use-After-Free issue and has a CVSS score of 9.2. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. The attack is limited to Squid deployments that explicitly enable ICP support. Version 7.5 contains a patch for this issue.

Vendor
Squid Cache
Product
Squid
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-26
Original CVE updated
2026-06-30
Advisory published
2026-03-26
Advisory updated
2026-06-30

Who should care

This vulnerability affects organizations that use Squid as a caching proxy for the Web, especially those with ICP support enabled. The vulnerability can be exploited remotely, making it a significant concern for networks that expose Squid services to the internet or untrusted networks.

Technical summary

CVE-2026-33526 is a heap Use-After-Free vulnerability in Squid that allows for Denial of Service attacks via ICP traffic. The vulnerability has a CVSS score of 9.2 and is classified as CRITICAL. The issue is resolved in Squid version 7.5. The vulnerability can be exploited by a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol.

Defensive priority

This vulnerability has a high defensive priority due to its critical severity and potential for remote exploitation. Organizations using Squid with ICP support enabled should prioritize patching to version 7.5.

Recommended defensive actions

  • Immediately upgrade Squid to version 7.5 or later to patch the vulnerability.
  • Disable ICP support if not required, as the attack is limited to deployments with ICP support enabled.
  • Monitor Squid services for unusual activity, especially related to ICP traffic.
  • Implement network segmentation to limit the exposure of Squid services to untrusted networks.
  • Review and update incident response plans to address potential Denial of Service attacks.

Evidence notes

The vulnerability is documented in the official CVE record and NVD detail pages. The Squid project has released a patch for this issue in version 7.5. Red Hat has also released errata related to this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.