Which versions of Squid are affected by CVE-2026-33526?

Organizations using Squid face critical risk from CVE-2026-33526, a use-after-free vulnerability rated CVSS 9.2.. A patch is available.

Squid CVE-2026-33526

Q: What is the CVSS score of CVE-2026-33526?

CVE-2026-33526 has a CVSS 4.0 base score of 9.2 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 2.0%.

EUVD-2026-16068 CRITICAL

Use After Free (CWE-416)

2026-03-26 GitHub_M

Denial Of Service Use After Free Memory Corruption

9.2

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 26, 2026 - 01:00 euvd

EUVD-2026-16068

Analysis Generated

Mar 26, 2026 - 01:00 vuln.today

CVE Published

Mar 26, 2026 - 00:16 nvd

CRITICAL 9.2

DescriptionNVD

Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero icp_port). This problem _cannot_ be mitigated by denying ICP queries using icp_access rules. Version 7.5 contains a patch.

AnalysisAI

Squid versions prior to 7.5 contain a heap use-after-free vulnerability (CWE-416) in ICP (Internet Cache Protocol) traffic handling that enables remote attackers to reliably trigger denial of service against affected proxy services. The vulnerability affects any Squid deployment with ICP support explicitly enabled via non-zero icp_port configuration, and cannot be mitigated through access control rules alone. …

RemediationAI

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

Ubuntu

Priority: Medium

squid

Release	Status	Version
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
questing	needs-triage	-
upstream	needs-triage	-

squid3

Release	Status	Version
xenial	needs-triage	-
bionic	needs-triage	-
jammy	DNE	-
noble	DNE	-
questing	DNE	-
upstream	needs-triage	-

Debian

squid

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	4.13-10+deb11u3	-
bullseye (security)	vulnerable	4.13-10+deb11u6	-
bookworm	vulnerable	5.7-2+deb12u5	-
bookworm (security)	vulnerable	5.7-2+deb12u4	-
trixie, trixie (security)	vulnerable	6.13-2+deb13u1	-
forky	vulnerable	7.4-1	-
sid	fixed	7.5-1	-
(unstable)	fixed	7.5-1	-

CVE-2026-33526 vulnerability details – vuln.today

Back

Squid CVE-2026-33526

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Vendor StatusVendor

Ubuntu

Debian

Share

Squid CVE-2026-33526

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code