CVE-2026-33526
Published: 26 March 2026
Summary
CVE-2026-33526 is a critical-severity Use After Free (CWE-416) vulnerability in Squid-Cache Squid. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
Squid, a caching proxy for the Web, is affected by a heap Use-After-Free vulnerability (CWE-416 and CWE-826) in versions prior to 7.5 when processing ICP traffic. The flaw produces a reliable and repeatable denial of service against the Squid service and is present only in deployments that explicitly configure a non-zero icp_port value. The CVSS 4.0 base score of 9.2 reflects network attackability with high impact on availability.
A remote attacker can trigger the condition by sending crafted ICP messages, resulting in service disruption. The attack succeeds regardless of icp_access rules that would otherwise deny ICP queries, so those controls provide no mitigation.
The Squid 7.5 release contains a patch for the issue. Public references include the fixing commit, the GitHub security advisory GHSA-hpfx-h48q-gvwg, and the oss-security mailing list announcement from March 2026. The associated EPSS values remain low with only a modest peak of 0.0229.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16068
Vulnerability details
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial…
more
of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated crafted ICP traffic triggers use-after-free crash in enabled Squid proxy (icp_port > 0), directly enabling application/system exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the heap use-after-free flaw in Squid's ICP handling, as fixed in version 7.5.
Mandates disabling unnecessary functionality such as ICP support (icp_port=0) to eliminate the attack vector.
Implements memory protections like ASLR and DEP to mitigate exploitation of the heap use-after-free vulnerability.