8.7
CVE-2026-32748
- EPSS 8.93%
- Veröffentlicht 26.03.2026 00:11:01
- Zuletzt bearbeitet 30.06.2026 03:18:34
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Squid has Denial of Service in ICP Response handling
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Squid-cache ≫ Squid Version < 7.5
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 8.93% | 0.946 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 8.7 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-413 Improper Resource Locking
The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-826 Premature Release of Resource During Expected Lifetime
The product releases a resource that is still intended to be used by itself or another actor.
https://github.com/squid-cache/squid/security/advisories/GHSA-f9p7-3jqg-hhvq
https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481b
http://www.openwall.com/lists/oss-security/2026/03/25/3
https://access.redhat.com/errata/RHSA-2026:10255
https://access.redhat.com/errata/RHSA-2026:10256
https://access.redhat.com/errata/RHSA-2026:10257
https://access.redhat.com/errata/RHSA-2026:11901
https://access.redhat.com/errata/RHSA-2026:20564
https://access.redhat.com/errata/RHSA-2026:20565
https://access.redhat.com/errata/RHSA-2026:20580
https://access.redhat.com/errata/RHSA-2026:6301
https://access.redhat.com/errata/RHSA-2026:8119
https://access.redhat.com/errata/RHSA-2026:8317
https://access.redhat.com/errata/RHSA-2026:8880
https://access.redhat.com/errata/RHSA-2026:9220
https://access.redhat.com/security/cve/CVE-2026-32748
https://bugzilla.redhat.com/show_bug.cgi?id=2451577
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32748.json