Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero icp_port). This problem cannot be mitigated by denying ICP queries using icp_access rules. Version 7.5 contains a patch.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-416",
"CWE-826"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33526.json"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "7.5"
}
],
"cpe": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
]
}"2026-07-09T17:42:10Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33526.json"
[
{
"signature_type": "Line",
"target": {
"file": "src/icp_v2.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"73291067842458533164972804911244939871",
"289434267660738907646178562670084950542",
"161410907837101138192443052047182141846",
"288951295780996692180570840948384752569"
],
"threshold": 0.9
},
"id": "CVE-2026-33526-85b6743e",
"source": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91",
"signature_version": "v1"
},
{
"signature_type": "Function",
"target": {
"file": "src/icp_v2.cc",
"function": "icpGetRequest"
},
"deprecated": false,
"digest": {
"length": 489.0,
"function_hash": "77918609118482961262740620302725334546"
},
"id": "CVE-2026-33526-d849cb7b",
"source": "https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91",
"signature_version": "v1"
}
]