CVE-2026-32748 Overview
CVE-2026-32748 is a Use After Free vulnerability affecting Squid, the widely-deployed caching proxy for the Web. Prior to version 7.5, Squid contains premature release of resource during expected lifetime and heap Use-After-Free bugs that make it vulnerable to Denial of Service attacks when handling Internet Cache Protocol (ICP) traffic. This vulnerability allows remote attackers to perform reliable and repeatable Denial of Service attacks against affected Squid deployments.
Critical Impact
Remote attackers can exploit this Use-After-Free vulnerability to cause persistent Denial of Service against Squid proxy services using ICP protocol traffic. The attack cannot be mitigated using icp_access rules.
Affected Products
- Squid-cache Squid versions prior to 7.5
- Squid deployments with ICP support enabled (non-zero icp_port configured)
- All platforms running vulnerable Squid versions with ICP configuration
Discovery Timeline
- March 26, 2026 - CVE-2026-32748 published to NVD
- March 26, 2026 - Last updated in NVD database
Technical Details for CVE-2026-32748
Vulnerability Analysis
This vulnerability stems from improper memory management in Squid's ICP traffic handling routines. The flaw involves premature release of memory resources during their expected lifetime, creating a classic Use-After-Free condition in heap memory. When Squid processes ICP protocol traffic, the memory management logic incorrectly frees memory objects while they are still being referenced, leading to subsequent access of freed memory regions.
The attack surface is limited to Squid deployments that explicitly enable ICP support by configuring a non-zero icp_port value. Importantly, the vulnerability cannot be mitigated through icp_access access control rules, as the vulnerable code path is executed before access controls are evaluated. This makes the vulnerability particularly dangerous for organizations that have attempted to restrict ICP access through ACLs while still maintaining the port configuration.
Root Cause
The root cause is classified under CWE-413 (Improper Resource Locking), involving improper synchronization and premature deallocation of heap memory resources during ICP request processing. The memory management code releases resources before all references to those resources have completed their operations, resulting in dangling pointer references that lead to Use-After-Free conditions when subsequently accessed.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with network access to the ICP port can send specially crafted ICP protocol traffic to trigger the Use-After-Free condition. The attack is described as reliable and repeatable, meaning attackers can consistently crash or destabilize the Squid service.
The vulnerability specifically targets the ICP protocol handler, which operates on a separate UDP port from the main HTTP proxy service. When exploited, the memory corruption caused by accessing freed heap memory results in service crashes or undefined behavior that disrupts proxy operations.
Detection Methods for CVE-2026-32748
Indicators of Compromise
- Unexpected Squid service crashes or restarts, particularly correlated with ICP traffic
- Unusual volume of ICP protocol traffic from external or unexpected sources
- Core dumps or crash logs indicating heap corruption or memory access violations
- Abnormal memory usage patterns in Squid process before crashes
Detection Strategies
- Monitor Squid service availability and restart frequency for anomalous patterns
- Implement network traffic analysis for unusual ICP protocol activity on configured icp_port
- Configure process monitoring to detect abnormal termination of Squid processes
- Review system logs for segmentation faults or memory corruption indicators
Monitoring Recommendations
- Enable verbose logging for ICP traffic in Squid configuration
- Deploy network intrusion detection signatures for malformed or suspicious ICP packets
- Set up automated alerting for Squid service availability degradation
- Monitor system logs for kernel messages related to memory access violations
How to Mitigate CVE-2026-32748
Immediate Actions Required
- Upgrade Squid to version 7.5 or later immediately
- If upgrade is not immediately possible, consider disabling ICP support by setting icp_port to 0
- Implement network-level filtering to restrict ICP port access to trusted sources only
- Monitor Squid services for signs of exploitation while planning the upgrade
Patch Information
The vulnerability is fixed in Squid version 7.5. The fix is available in commit 703e07d25ca6fa11f52d20bf0bb879e22ab7481b. Organizations should upgrade to the patched version as soon as possible.
Additional resources:
Workarounds
- Disable ICP functionality by setting icp_port 0 in squid.conf if ICP is not required
- Implement firewall rules to block inbound ICP traffic (UDP) from untrusted networks
- Use network segmentation to isolate Squid instances from direct external ICP access
- Note: icp_access rules do NOT mitigate this vulnerability and should not be relied upon
# Configuration example - Disable ICP in squid.conf
# Add or modify the following line in /etc/squid/squid.conf
icp_port 0
# Restart Squid to apply changes
systemctl restart squid
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
