DEBIAN-CVE-2026-33526

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2026-33526

Published: 01 Jan 1, 00:00

Last modified:26 Mar 2026, 04:00

Vulnerability Summary

Overall Risk (default)

minimal

0/100

CVSS Score

No data

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

01 Jan 1, 00:00

Published

Vulnerability first disclosed

26 Mar 2026, 04:00

Last Modified

Vulnerability information updated

Description

Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

Affected Systems

debian•squid
all | all | all | all

References (1)

https://security-tracker.debian.org/tracker/CVE-2026-33526