External risk intelligence

Squid ICP Denial of Service Heap Use-After-Free Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-33526

The vulnerability affects Squid, a caching proxy, but specifically requires the ICP protocol to be explicitly enabled via a non-zero icp_port configuration. While Squid is often internet-facing, ICP is typically used for inter-cache communication within internal or peer-to-peer networks rather than being public-facing by design, making widespread exposure of this specific feature less common.

Use After Free

Squid Cache Squid

before 7.5

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability impacts Squid, a web caching proxy, specifically when the Internet Cache Protocol (ICP) is enabled. It allows for a reliable denial-of-service attack, potentially disrupting services that rely on this specific Squid configuration. The main concern is confirming relevance and exposure within your specific environment.

  • Prevents web proxy services from running.
  • Affects Squid when ICP protocol is enabled.
  • Confirm if your Squid ICP configuration is exposed.

Attack Path

How an attacker could exploit the issue

An attacker can remotely trigger this vulnerability by sending specially crafted ICP traffic to a Squid proxy that has ICP support explicitly enabled. This could lead to the Squid service becoming unavailable.

  • Requires ICP protocol to be enabled.
  • Triggered by crafted ICP traffic.
  • Results in Denial of Service.

Live Threat

Current exploitation, exposure, and threat context

When Squid's ICP support is explicitly enabled, a remote attacker could cause the service to repeatedly crash. This vulnerability, stemming from a heap use-after-free error, could impact the availability of the Squid proxy when handling ICP traffic.

  • Squid service availability.
  • Malicious ICP traffic.
  • Repeated service crashes.

Operational Fix

Recommended remediation, mitigation, and detection steps

In many organizations, the platform or infrastructure teams responsible for maintaining the Squid proxy service will likely own this issue. The first practical step is to inventory all Squid deployments, confirm if ICP is enabled, assess if these instances are externally reachable, and then identify the specific application or service owners for those critical or exposed instances to plan remediation.

  • Platform/Infrastructure teams own the fix.
  • Verify ICP port is enabled and exposed.
  • Plan maintenance for ICP-enabled Squid instances.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Squid?

Squid is a widely used open-source web caching proxy. It acts as an intermediary for web requests, storing copies of frequently accessed content to improve delivery speeds and reduce bandwidth consumption. Beyond basic caching, it supports various protocols to coordinate between multiple cache servers, helping large networks manage traffic efficiently.

What is the vulnerability in CVE-2026-33526?

This vulnerability is a Heap Use-After-Free. This occurs when the software continues to use a memory location after it has been cleared or freed. In this specific case, sending certain ICP traffic can confuse the software's memory management, causing it to crash repeatedly. This effectively stops the proxy from functioning, resulting in a Denial of Service.

How is this bug triggered?

The bug is triggered when a remote attacker sends specially crafted ICP traffic to the proxy. Crucially, the vulnerability only exists if the `icp_port` is configured to a non-zero value, which explicitly enables ICP support. If ICP is disabled, the vulnerability is not reachable. Importantly, simply blocking ICP queries with access rules is insufficient to prevent the crash.

Is my Squid instance at risk?

According to Halo Surface Signal, risk depends on your specific configuration. While Squid is often internet-facing, ICP is generally meant for internal or peer-to-peer communication between caches, not for public web traffic. You are only at risk if you have enabled ICP support on an instance that is reachable by an attacker.

What should I do to address this?

First, inventory your Squid deployments to find where ICP is enabled. Check your configuration files for a non-zero `icp_port`. For any instance where ICP is active, prioritize upgrading to version 7.5 or later, which includes the necessary patch. If an upgrade is not immediately possible, evaluate if the ICP feature is strictly necessary for your network topology.

References