Squid Caching Proxy Alert: Critical ICP Protocol Flaws Threaten Web Infrastructure

Squid, the widely deployed open-source caching proxy, has been hit with a trio of significant security vulnerabilities affecting its Internet Cache Protocol (ICP) implementation. These flaws, which include two critical Denial of Service (DoS) bugs and a memory-leaking Information Disclosure vulnerability, pose a direct threat to the availability and confidentiality of web proxy hierarchies.

Squid is a vital component for many organizations, used to reduce bandwidth and improve web response times by caching frequently requested content. However, these new findings suggest that if not properly configured or patched, the very tool meant to optimize a network could become its primary point of failure.

The vulnerabilities center on how Squid handles ICP traffic—a lightweight protocol used by proxies to communicate with each other in a cluster.

Denial of Service (CVE-2026-33526 (CVSS 9.2) & CVE-2026-32748 (CVSS 8.7))

The most severe flaws involve heap Use-After-Free bugs. Attackers can exploit these to perform “reliable and repeatable” Denial of Service attacks against the Squid service.

A remote attacker can crash the Squid daemon, effectively cutting off internet access for all users relying on that proxy. These vulnerabilities are particularly dangerous because they cannot be mitigated by standard access rules. Even if you configure icp_access to deny queries, the service remains vulnerable to the crash.

Sensitive Memory Disclosure (CVE-2026-33515, CVSS 6.9)

This flaw stems from improper input validation in ICP message handling. A remote attacker can send invalid requests that cause Squid to respond with small amounts of its internal memory. This leaked memory may contain sensitive information processed by the proxy, such as metadata or fragments of other users’ web traffic.

Are You Vulnerable?

The attack is limited to Squid deployments that have explicitly enabled ICP support by configuring a non-zero icp_port. To check your current configuration, administrators can run the following command:

squid -k parse 2>&1 | grep -E "(icp|udp)_port" | tail -n1

Affected Versions:

• Vulnerable: All Squid versions from 3.0 up to and including 7.4 if a non-zero port is configured.
• Safe: Versions prior to 3.2 without a configured port, or any version where the port is explicitly set to 0.

The Fix: Patches and Workarounds

The Squid team has officially addressed these issues in Squid version 7.5. For those unable to upgrade the entire package immediately, individual patches are available for the stable Squid 7 branch (commits 8a7d42f, 703e07d, and 8138e90).

Important Workarounds: If you cannot patch or upgrade immediately, you must disable the vulnerable protocol entirely to remain safe:

1. Disable ICP: Remove ICP support from your configuration.
2. Explicit Shutdown: Set your icp_port to 0 in your squid.conf file.

Warning: Do not rely on icp_access rules for protection. The vulnerability is triggered before these rules are even processed.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy