CVE-2026-32748

EPSS 0.24%
Veröffentlicht 26.03.2026 00:11:01
Zuletzt bearbeitet 26.03.2026 20:43:15
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Squid has Denial of Service in ICP Response handling

Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Squid-cache ≫ Squid Version < 7.5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.463

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-413 Improper Resource Locking

The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

CWE-826 Premature Release of Resource During Expected Lifetime

The product releases a resource that is still intended to be used by itself or another actor.

https://github.com/squid-cache/squid/security/advisories/GHSA-f9p7-3jqg-hhvq

Patch

Vendor Advisory

Mitigation

https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481b

Patch

http://www.openwall.com/lists/oss-security/2026/03/25/3

Patch

Third Party Advisory

Mailing List