Cyber Resilience

CVE-2026-33526

CriticalUpdated

Published: 26 March 2026

Published
26 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0274 84.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33526 is a critical-severity Use After Free (CWE-416) vulnerability in Squid-Cache Squid. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

Squid, a caching proxy for the Web, is affected by a heap Use-After-Free vulnerability (CWE-416 and CWE-826) in versions prior to 7.5 when processing ICP traffic. The flaw produces a reliable and repeatable denial of service against the Squid service and is present only in deployments that explicitly configure a non-zero icp_port value. The CVSS 4.0 base score of 9.2 reflects network attackability with high impact on availability.

A remote attacker can trigger the condition by sending crafted ICP messages, resulting in service disruption. The attack succeeds regardless of icp_access rules that would otherwise deny ICP queries, so those controls provide no mitigation.

The Squid 7.5 release contains a patch for the issue. Public references include the fixing commit, the GitHub security advisory GHSA-hpfx-h48q-gvwg, and the oss-security mailing list announcement from March 2026. The associated EPSS values remain low with only a modest peak of 0.0229.

EU & UK References

Vulnerability details

Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial…

more

of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated crafted ICP traffic triggers use-after-free crash in enabled Squid proxy (icp_port > 0), directly enabling application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32748Same product: Squid-Cache Squid
CVE-2025-54574Same product: Squid-Cache Squid
CVE-2025-62168Same product: Squid-Cache Squid
CVE-2026-26330Shared CWE-416
CVE-2026-4271Shared CWE-416
CVE-2024-57959Shared CWE-416
CVE-2024-56434Shared CWE-416
CVE-2025-63652Shared CWE-416
CVE-2026-6754Shared CWE-416
CVE-2026-6758Shared CWE-416

Affected Assets

squid-cache
squid
≤ 7.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the heap use-after-free flaw in Squid's ICP handling, as fixed in version 7.5.

prevent

Mandates disabling unnecessary functionality such as ICP support (icp_port=0) to eliminate the attack vector.

prevent

Implements memory protections like ASLR and DEP to mitigate exploitation of the heap use-after-free vulnerability.

References