CVE-2026-32748 affects the Squid caching proxy server, specifically versions prior to 7.5, due to improper resource locking and heap use-after-free vulnerabilities (CWE-413, CWE-416, CWE-826) in the handling of Internet Cache Protocol (ICP) traffic. ICP is used by Squid to communicate cache index information between proxy servers to improve cache efficiency. The vulnerability arises from premature release of resources during their expected lifetime, which leads to use-after-free conditions in the heap memory. This memory corruption flaw can be triggered remotely without authentication or user interaction by sending crafted ICP packets to a Squid instance with ICP support enabled (non-zero icp_port). Exploiting this bug results in a reliable and repeatable Denial of Service (DoS) by crashing or destabilizing the Squid service, impacting availability. The vulnerability cannot be mitigated by restricting ICP queries using icp_access rules, as these do not prevent the underlying resource management flaw. The issue was publicly disclosed on March 26, 2026, and fixed in Squid version 7.5. The CVSS 4.0 base score of 8.7 reflects a network attack vector with low attack complexity, no privileges or user interaction required, and a high impact on availability. No known exploits have been observed in the wild yet, but the vulnerability poses a significant risk to any Squid deployment with ICP enabled.

The primary impact of CVE-2026-32748 is a Denial of Service condition that can disrupt web caching proxy services relying on Squid with ICP enabled. This can lead to service outages, degraded web performance, and increased load on origin servers due to cache unavailability. Organizations that depend on Squid for caching and accelerating web traffic, including ISPs, large enterprises, and content delivery networks, may experience significant operational disruptions. The vulnerability’s ease of exploitation—requiring only network access to the ICP port and no authentication—makes it a viable target for attackers aiming to disrupt services or cause downtime. Since the vulnerability cannot be mitigated by access control rules alone, unpatched systems remain exposed. This could also be leveraged as part of a larger attack chain to degrade network infrastructure reliability. The impact is primarily on availability, with no direct confidentiality or integrity compromise reported. However, service outages can indirectly affect business continuity and user trust.

The definitive mitigation for CVE-2026-32748 is to upgrade Squid to version 7.5 or later, where the resource locking and use-after-free bugs have been fixed. Until upgrading is possible, organizations should consider disabling ICP support by setting icp_port to zero, effectively preventing the vulnerable code path from being exercised. Network-level controls such as firewall rules should be implemented to restrict access to the ICP port only to trusted internal hosts or proxy peers, minimizing exposure to untrusted networks. Monitoring Squid logs and network traffic for unusual or malformed ICP packets can help detect attempted exploitation. Since icp_access rules do not prevent the vulnerability, relying solely on them is insufficient. Organizations should also review their proxy deployment architecture to limit ICP usage or isolate vulnerable instances. Regular patch management and vulnerability scanning should be enforced to ensure timely application of security updates.