9.2

CVE-2026-33526

Squid vulnerable to Denial of Service in ICP Request handling

Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Squid-cacheSquid Version < 7.5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 8.94% 0.946
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 9.2 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

CWE-825 Expired Pointer Dereference

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

CWE-826 Premature Release of Resource During Expected Lifetime

The product releases a resource that is still intended to be used by itself or another actor.

https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg
Vendor Advisory
https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91
Patch
http://www.openwall.com/lists/oss-security/2026/03/25/2
Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:10255
https://access.redhat.com/errata/RHSA-2026:10256
https://access.redhat.com/errata/RHSA-2026:10257
https://access.redhat.com/errata/RHSA-2026:11901
https://access.redhat.com/errata/RHSA-2026:20564
https://access.redhat.com/errata/RHSA-2026:20565
https://access.redhat.com/errata/RHSA-2026:20580
https://access.redhat.com/errata/RHSA-2026:6301
https://access.redhat.com/errata/RHSA-2026:8119
https://access.redhat.com/errata/RHSA-2026:8317
https://access.redhat.com/errata/RHSA-2026:8880
https://access.redhat.com/errata/RHSA-2026:9220
https://access.redhat.com/security/cve/CVE-2026-33526
https://bugzilla.redhat.com/show_bug.cgi?id=2451574
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33526.json