CVE-2026-33526

High

Published: 26 March 2026

Published

26 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0214 84.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33526 is a high-severity Use After Free (CWE-416) vulnerability in Squid-Cache Squid. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the heap use-after-free flaw in Squid's ICP handling, as fixed in version 7.5.

CM-7 Least Functionality good match

prevent

Mandates disabling unnecessary functionality such as ICP support (icp_port=0) to eliminate the attack vector.

SI-16 Memory Protection partial match

prevent

Implements memory protections like ASLR and DEP to mitigate exploitation of the heap use-after-free vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote unauthenticated crafted ICP traffic triggers use-after-free crash in enabled Squid proxy (icp_port > 0), directly enabling application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial…

of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

Deeper analysisAI

CVE-2026-33526 is a heap use-after-free vulnerability (CWE-416, CWE-826) in Squid, an open-source caching proxy for the web, affecting versions prior to 7.5. The flaw occurs during the handling of ICP (Internet Cache Protocol) traffic, enabling a denial-of-service condition. It impacts only Squid deployments that explicitly enable ICP support by configuring a non-zero `icp_port` value.

A remote, unauthenticated attacker can exploit this vulnerability by sending crafted ICP traffic to the affected Squid instance, triggering the use-after-free and causing a reliable, repeatable crash of the service (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). No user interaction is required, and the attack requires low complexity due to the network-accessible nature of ICP when enabled.

Squid version 7.5 addresses the issue with a specific patch, as detailed in the commit at https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91 and the GitHub security advisory at https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg. Notably, the vulnerability cannot be mitigated using `icp_access` rules to deny ICP queries, as confirmed in the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/03/25/2. Security practitioners should upgrade to version 7.5 or later and review configurations to disable ICP if unnecessary.