CVE-2026-32748

Squid has Denial of Service in ICP Response handling

CVSS 8.7 HIGHEPSS 2.7%CWE-413 CWE-416 CWE-826

In short

Squid proxy versions before 7.5 have memory bugs in ICP (Internet Cache Protocol) handling that allow attackers to crash the service. An attacker can reliably take the service offline by sending specially crafted ICP traffic.

Technical detail

The vulnerability stems from premature resource release and heap use-after-free conditions (CWE-413, CWE-416, CWE-826) in ICP response processing. A remote attacker can trigger a Denial of Service by sending ICP protocol packets to Squid instances with icp_port enabled; this requires explicit ICP configuration and cannot be mitigated by icp_access rules alone.

Summary generated and translated by AI from the official description.

Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Affected products

squid-cache · squid

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481b https://github.com/squid-cache/squid/security/advisories/GHSA-f9p7-3jqg-hhvq http://www.openwall.com/lists/oss-security/2026/03/25/3