CVE-2026-32748
Published: 26 March 2026
Summary
CVE-2026-32748 is a high-severity Improper Resource Locking (CWE-413) vulnerability in Squid-Cache Squid. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-5 (Denial-of-service Protection).
Deeper analysis
Squid, a widely deployed caching proxy for the Web, is affected by CVE-2026-32748 in all versions prior to 7.5. The root cause is a combination of premature resource release during the expected object lifetime and heap use-after-free conditions that manifest when the proxy processes ICP traffic. These memory-safety defects are tracked under CWE-413, CWE-416, and CWE-826 and produce a CVSS 4.0 score of 8.7 with high impact on availability.
A remote attacker who can send crafted ICP messages can trigger a reliable, repeatable denial-of-service condition against any Squid instance that has ICP support enabled via a non-zero icp_port setting. The attack succeeds even when icp_access rules are configured to restrict ICP queries, because the flaw occurs before access-control checks complete.
The official GitHub Security Advisory and the commit 703e07d25ca6fa11f52d20bf0bb879e22ab7481b confirm that the defects are resolved in Squid 7.5; operators are advised to upgrade rather than rely on network-level filtering. Mailing-list posts on oss-security reiterate that ICP must be disabled entirely if patching is delayed.
EPSS for the CVE rose sharply from a low baseline to a peak of 0.0180 on the disclosure date of 26 March 2026 before receding to its current value of 0.0021, indicating a transient but measurable increase in exploitation interest immediately after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16056
Vulnerability details
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a…
more
remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitation of public-facing Squid proxy via crafted ICP traffic directly enables application/system exploitation resulting in service crash (DoS).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Applying the vendor patch to Squid version 7.5 directly remediates the heap use-after-free bugs causing DoS crashes from ICP traffic.
Restricting Squid to least functionality by disabling ICP support (icp_port=0) eliminates the vulnerable protocol handling required for exploitation.
Denial-of-service protections directly limit the impact of remote attacks using crafted ICP traffic to crash the Squid service.