CVE-2026-33526

CVSS v4.0

9.2

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Name of the Vulnerable Software and Affected Versions Squid versions prior to 7.5

Description Squid, a caching proxy for the Web, contains a heap Use-After-Free issue that can lead to Denial of Service when handling ICP traffic. This allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using the ICP protocol. The attack is limited to deployments that explicitly enable ICP support by configuring a non-zero icp port. Denying ICP queries using icp access rules does not mitigate this issue.

Recommendations Update to version 7.5 or later.

Exploit

Fix

DoS

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-826CWE-416

Related Identifiers

ALSA-2026:6301

ALSA-2026:8119

ALSA-2026:8317

BDU:2026-07242

CVE-2026-33526

GHSA-HPFX-H48Q-GVWG

MGASA-2026-0094

RHSA-2026:10255

RHSA-2026:10256

RHSA-2026:10257

RHSA-2026:11901

RHSA-2026:6301

RHSA-2026:8119

RHSA-2026:8317

RHSA-2026:8880

RHSA-2026:9220

USN-8157-1

Affected Products

Linuxmint

Red Os

Rocky Linux

Squid

Squid Cache

Ubuntu

CVE-2026-33526

Weakness Enumeration

Related Identifiers

Affected Products

References · 50