Squid <7.5: ICP Handler Heap UAF -> DoS
CVE-2026-32748 Published on March 26, 2026
Squid has Denial of Service in ICP Response handling
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
Weakness Types
Improper Resource Locking
The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource. When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the software. This might violate the software's assumption that the resource will not change, potentially leading to unexpected behaviors.
What is a Dangling pointer Vulnerability?
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CVE-2026-32748 has been classified to as a Dangling pointer vulnerability or weakness.
Premature Release of Resource During Expected Lifetime
The program releases a resource that is still intended to be used by the program itself or another actor.
Products Associated with CVE-2026-32748
Want to know whenever a new CVE is published for Squid Cache Squid? stack.watch will email you.
Affected Versions
squid-cache squid Version < 7.5 is affected by CVE-2026-32748Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.