Skip to main content

Squid CVE-2026-32748

| EUVDEUVD-2026-16056 HIGH
Improper Resource Locking (CWE-413)
2026-03-26 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ubuntu
MEDIUM
qualitative
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 01:00 euvd
EUVD-2026-16056
Analysis Generated
Mar 26, 2026 - 01:00 vuln.today
CVE Published
Mar 26, 2026 - 00:11 nvd
HIGH 8.7

DescriptionCVE.org

Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero icp_port). This problem _cannot_ be mitigated by denying ICP queries using icp_access rules. This bug is fixed in Squid version 7.5.

AnalysisAI

Squid proxy versions prior to 7.5 contain use-after-free and premature resource release vulnerabilities in ICP (Internet Cache Protocol) traffic handling that enable reliable, repeatable denial of service attacks. Remote attackers can exploit these memory safety bugs to crash the Squid service by sending specially crafted ICP packets, affecting deployments that have explicitly enabled ICP support via non-zero icp_port configuration. While no CVSS score or EPSS value is currently published, the vulnerability is confirmed by vendor advisory and includes a public patch commit, indicating moderate to high real-world risk for affected deployments.

Technical ContextAI

The vulnerability resides in Squid's ICP protocol implementation, which is a lightweight UDP-based protocol used for inter-cache communication and query distribution across cache hierarchies. The root cause is classified as CWE-413 (Improper Resource Validation), manifesting as both use-after-free (a heap memory corruption defect) and premature release of resources during their expected operational lifetime. These memory safety defects occur during ICP packet processing, suggesting flaws in object lifecycle management, reference counting, or buffer handling within Squid's ICP module. The affected software is identified via CPE (cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*), indicating all versions of Squid prior to 7.5 are vulnerable when ICP support is enabled.

RemediationAI

Upgrade Squid to version 7.5 or later immediately. For organizations unable to patch promptly, disable ICP support by setting icp_port to 0 in squid.conf and restarting the service-this eliminates the attack surface entirely and is guaranteed effective since the vulnerability cannot be mitigated by icp_access rules alone. Apply the patch from the vendor advisory (https://github.com/squid-cache/squid/security/advisories/GHSA-f9p7-3jqg-hhvq) or pull the fixed code commit (703e07d25ca6fa11f52d20bf0bb879e22ab7481b) if building from source. For defense-in-depth, restrict UDP port 3130 (default ICP port) at the network perimeter to trusted peer caches only, and monitor Squid process stability for unexpected crashes or restarts.

More in Squid

View all
CVE-2016-4553 HIGH
8.6 May 10

client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI i

CVE-2016-4054 HIGH
8.1 Apr 25

Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via cr

CVE-2016-4555 HIGH POC
7.5 May 10

client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of servi

CVE-2016-3947 HIGH
8.2 Apr 07

Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger utility in Squid before 3.5.16 and

CVE-2013-4123 MEDIUM POC
5.0 Sep 16

client_side_request.cc in Squid 3.2.x before 3.2.13 and 3.3.x before 3.3.8 allows remote attackers to cause a denial of

CVE-2013-4115 HIGH
7.5 Aug 09

Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows

CVE-2016-4554 HIGH
8.6 May 10

mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly c

CVE-2014-7141 MEDIUM
6.4 Nov 26

The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of servic

CVE-2014-3609 MEDIUM
5.0 Sep 11

HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (

CVE-2016-2569 HIGH
7.5 Feb 27

Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote server

CVE-2016-3948 HIGH
7.5 Apr 07

Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause

CVE-2014-7142 MEDIUM
6.4 Nov 26

The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of servic

Vendor StatusVendor

Ubuntu

Priority: Medium
squid
Release Status Version
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream needs-triage -
squid3
Release Status Version
xenial needs-triage -
bionic needs-triage -
jammy DNE -
noble DNE -
questing DNE -
upstream needs-triage -

Debian

squid
Release Status Fixed Version Urgency
bullseye vulnerable 4.13-10+deb11u3 -
bullseye (security) vulnerable 4.13-10+deb11u6 -
bookworm vulnerable 5.7-2+deb12u5 -
bookworm (security) vulnerable 5.7-2+deb12u4 -
trixie, trixie (security) vulnerable 6.13-2+deb13u1 -
forky vulnerable 7.4-1 -
sid fixed 7.5-1 -
(unstable) fixed 7.5-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

CVE-2026-32748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy