Squid <7.5 Heap UAF DoS via ICP
CVE-2026-33526 Published on March 26, 2026

Squid vulnerable to Denial of Service in ICP Request handling
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

NVD

Weakness Types

What is a Dangling pointer Vulnerability?

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2026-33526 has been classified to as a Dangling pointer vulnerability or weakness.

Premature Release of Resource During Expected Lifetime

The program releases a resource that is still intended to be used by the program itself or another actor.


Products Associated with CVE-2026-33526

Want to know whenever a new CVE is published for Squid Cache Squid? stack.watch will email you.

Squid Cache Squid
 

Affected Versions

squid-cache squid Version < 7.5 is affected by CVE-2026-33526

Exploit Probability

EPSS
1.98%
Percentile
83.50%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.