Cyber Resilience

CVE-2026-32748

HighUpdated

Published: 26 March 2026

Published
26 March 2026
Modified
30 June 2026
KEV Added
Patch
25 March 2026
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0273 84.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32748 is a high-severity Improper Resource Locking (CWE-413) vulnerability in Squid-Cache Squid. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-5 (Denial-of-service Protection).

Deeper analysis

Squid, a widely deployed caching proxy for the Web, is affected by CVE-2026-32748 in all versions prior to 7.5. The root cause is a combination of premature resource release during the expected object lifetime and heap use-after-free conditions that manifest when the proxy processes ICP traffic. These memory-safety defects are tracked under CWE-413, CWE-416, and CWE-826 and produce a CVSS 4.0 score of 8.7 with high impact on availability.

A remote attacker who can send crafted ICP messages can trigger a reliable, repeatable denial-of-service condition against any Squid instance that has ICP support enabled via a non-zero icp_port setting. The attack succeeds even when icp_access rules are configured to restrict ICP queries, because the flaw occurs before access-control checks complete.

The official GitHub Security Advisory and the commit 703e07d25ca6fa11f52d20bf0bb879e22ab7481b confirm that the defects are resolved in Squid 7.5; operators are advised to upgrade rather than rely on network-level filtering. Mailing-list posts on oss-security reiterate that ICP must be disabled entirely if patching is delayed.

EPSS for the CVE rose sharply from a low baseline to a peak of 0.0180 on the disclosure date of 26 March 2026 before receding to its current value of 0.0021, indicating a transient but measurable increase in exploitation interest immediately after publication.

EU & UK References

Vulnerability details

Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a…

more

remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote exploitation of public-facing Squid proxy via crafted ICP traffic directly enables application/system exploitation resulting in service crash (DoS).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33526Same product: Squid-Cache Squid
CVE-2025-54574Same product: Squid-Cache Squid
CVE-2025-62168Same product: Squid-Cache Squid
CVE-2026-27854Shared CWE-416
CVE-2026-24681Shared CWE-416
CVE-2026-24678Shared CWE-416
CVE-2026-25983Shared CWE-416
CVE-2026-31501Shared CWE-416
CVE-2026-45185Shared CWE-416
CVE-2026-41401Shared CWE-416

Affected Assets

squid-cache
squid
≤ 7.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying the vendor patch to Squid version 7.5 directly remediates the heap use-after-free bugs causing DoS crashes from ICP traffic.

prevent

Restricting Squid to least functionality by disabling ICP support (icp_port=0) eliminates the vulnerable protocol handling required for exploitation.

prevent

Denial-of-service protections directly limit the impact of remote attacks using crafted ICP traffic to crash the Squid service.

References