CVE-2026-33526: Squid vulnerable to Denial of Service in ICP Request handling
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Security readout for executives and security teams
Plain-English summary
This flaw can let an unauthenticated remote attacker repeatedly crash a Squid proxy, but only where ICP support is explicitly enabled. The issue is severe for affected proxy infrastructure because service availability can be lost without user interaction. Squid 7.5 contains the upstream patch.
Executive priority
Prioritize systems that use Squid as critical proxy infrastructure and have ICP enabled. Treat externally reachable ICP as urgent because the stated impact is reliable service disruption. Where ICP is disabled, urgency is lower but version verification is still required.
Technical view
CVE-2026-33526 is a heap use-after-free in Squid ICP request handling before version 7.5. The CVSS 4.0 score is 9.2. Exposure requires a non-zero icp_port. The advisory states icp_access denial rules do not mitigate the issue.
Likely exposure
Organizations are likely exposed only if they run Squid before 7.5 with ICP explicitly enabled through a non-zero icp_port. Internet-facing or broadly reachable proxy peers increase operational impact. Deployments without ICP enabled are not described as exposed in the provided sources.
Exploitation context
The source bundle supports remote, unauthenticated, reliable denial of service via ICP traffic. It does not show CISA KEV listing or active exploitation evidence. No source in the bundle supports data theft, code execution, or privilege escalation.
Researcher notes
The key exposure condition is configuration-specific: non-zero icp_port. The advisory explicitly rules out icp_access as a sufficient control. Evidence is strongest for denial of service, not confidentiality or integrity compromise. Patch reference points to Squid 7.5.
Mitigation direction
Upgrade Squid to version 7.5 or a vendor-fixed package.
If ICP is not required, disable ICP by using icp_port 0.
Do not rely on icp_access deny rules as mitigation.
Review applicable Red Hat errata for packaged platform fixes.
Limit ICP reachability to required trusted peers where ICP must remain enabled.
Validation and detection
Inventory all Squid deployments and record installed versions.
Inspect Squid configuration for non-zero icp_port values.
Confirm whether ICP is reachable from untrusted networks.
Verify vendor package status against applicable Red Hat advisories.
Monitor affected proxies for crashes, restarts, or availability loss.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-416: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-416 · source CWE mapping
Use After Free
Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Expired Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Premature Release of Resource During Expected Lifetime
Premature Release of Resource During Expected Lifetime represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.