PatchSiren cyber security CVE debrief
CVE-2026-33526 Squid Cache CVE debrief
CVE-2026-33526 is a critical vulnerability in Squid, a caching proxy for the Web, which allows for Denial of Service attacks via ICP traffic. The vulnerability is caused by a heap Use-After-Free issue and has a CVSS score of 9.2. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. The attack is limited to Squid deployments that explicitly enable ICP support. Version 7.5 contains a patch for this issue.
- Vendor
- Squid Cache
- Product
- Squid
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-26
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-26
- Advisory updated
- 2026-06-30
Who should care
This vulnerability affects organizations that use Squid as a caching proxy for the Web, especially those with ICP support enabled. The vulnerability can be exploited remotely, making it a significant concern for networks that expose Squid services to the internet or untrusted networks.
Technical summary
CVE-2026-33526 is a heap Use-After-Free vulnerability in Squid that allows for Denial of Service attacks via ICP traffic. The vulnerability has a CVSS score of 9.2 and is classified as CRITICAL. The issue is resolved in Squid version 7.5. The vulnerability can be exploited by a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol.
Defensive priority
This vulnerability has a high defensive priority due to its critical severity and potential for remote exploitation. Organizations using Squid with ICP support enabled should prioritize patching to version 7.5.
Recommended defensive actions
- Immediately upgrade Squid to version 7.5 or later to patch the vulnerability.
- Disable ICP support if not required, as the attack is limited to deployments with ICP support enabled.
- Monitor Squid services for unusual activity, especially related to ICP traffic.
- Implement network segmentation to limit the exposure of Squid services to untrusted networks.
- Review and update incident response plans to address potential Denial of Service attacks.
Evidence notes
The vulnerability is documented in the official CVE record and NVD detail pages. The Squid project has released a patch for this issue in version 7.5. Red Hat has also released errata related to this vulnerability.
Official resources
-
CVE-2026-33526 CVE record
CVE.org
-
CVE-2026-33526 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.