CVE-2026-33526

| EUVD-2026-16068 CRITICAL
2026-03-26 GitHub_M
9.2
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 01:00 euvd
EUVD-2026-16068
Analysis Generated
Mar 26, 2026 - 01:00 vuln.today
CVE Published
Mar 26, 2026 - 00:16 nvd
CRITICAL 9.2

Tags

Denial Of Service Use After Free Memory Corruption

Description

Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

Analysis

Squid versions prior to 7.5 contain a heap use-after-free vulnerability (CWE-416) in ICP (Internet Cache Protocol) traffic handling that enables remote attackers to reliably trigger denial of service against affected proxy services. The vulnerability affects any Squid deployment with ICP support explicitly enabled via non-zero icp_port configuration, and cannot be mitigated through access control rules alone. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

48
Low Medium High Critical
KEV: 0
EPSS: +2.0
CVSS: +46
POC: 0

Vendor Status

Ubuntu

Priority: Medium
squid
Release Status Version
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream needs-triage -
squid3
Release Status Version
xenial needs-triage -
bionic needs-triage -
jammy DNE -
noble DNE -
questing DNE -
upstream needs-triage -

Debian

squid
Release Status Fixed Version Urgency
bullseye vulnerable 4.13-10+deb11u3 -
bullseye (security) vulnerable 4.13-10+deb11u6 -
bookworm vulnerable 5.7-2+deb12u5 -
bookworm (security) vulnerable 5.7-2+deb12u4 -
trixie, trixie (security) vulnerable 6.13-2+deb13u1 -
forky vulnerable 7.4-1 -
sid fixed 7.5-1 -
(unstable) fixed 7.5-1 -

Share

CVE-2026-33526 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy