9.2
CVE-2026-33526
- EPSS 8.94%
- Veröffentlicht 26.03.2026 00:16:12
- Zuletzt bearbeitet 30.06.2026 03:18:41
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Squid vulnerable to Denial of Service in ICP Request handling
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Squid-cache ≫ Squid Version < 7.5
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 8.94% | 0.946 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 9.2 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-825 Expired Pointer Dereference
The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
CWE-826 Premature Release of Resource During Expected Lifetime
The product releases a resource that is still intended to be used by itself or another actor.
https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg
https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91
http://www.openwall.com/lists/oss-security/2026/03/25/2
https://access.redhat.com/errata/RHSA-2026:10255
https://access.redhat.com/errata/RHSA-2026:10256
https://access.redhat.com/errata/RHSA-2026:10257
https://access.redhat.com/errata/RHSA-2026:11901
https://access.redhat.com/errata/RHSA-2026:20564
https://access.redhat.com/errata/RHSA-2026:20565
https://access.redhat.com/errata/RHSA-2026:20580
https://access.redhat.com/errata/RHSA-2026:6301
https://access.redhat.com/errata/RHSA-2026:8119
https://access.redhat.com/errata/RHSA-2026:8317
https://access.redhat.com/errata/RHSA-2026:8880
https://access.redhat.com/errata/RHSA-2026:9220
https://access.redhat.com/security/cve/CVE-2026-33526
https://bugzilla.redhat.com/show_bug.cgi?id=2451574
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33526.json