CVE-2026-33526 is a heap-based Use-After-Free vulnerability (CWE-416) in the Squid caching proxy server, specifically triggered when processing ICP traffic. Squid is widely used to cache web content and improve network performance. The vulnerability arises from improper memory management when handling ICP requests, leading to a condition where freed heap memory is accessed again. This memory corruption can be exploited remotely by an attacker sending crafted ICP packets to a Squid server with ICP support enabled (non-zero icp_port). The flaw allows the attacker to cause a Denial of Service by crashing the Squid process or causing it to become unresponsive. Attempts to block ICP queries using icp_access rules do not prevent exploitation, as the vulnerability is triggered before such access controls are applied. The issue is resolved in Squid version 7.5 with a patch that corrects the memory handling logic. The vulnerability does not require authentication or user interaction, making it highly exploitable over the network. Although no known exploits are currently observed in the wild, the critical CVSS score (9.2) reflects the high risk posed by this vulnerability due to its impact on service availability and ease of exploitation.

The primary impact of CVE-2026-33526 is a Denial of Service condition on Squid proxy servers that have ICP enabled. Organizations relying on Squid for web caching and proxy services may experience service outages or degraded performance, disrupting access to cached web content and potentially impacting dependent applications and users. This can affect enterprise networks, ISPs, and content delivery networks that use Squid to optimize traffic. The inability to mitigate the attack via standard ICP access controls increases the risk of successful exploitation. Extended downtime or repeated crashes could lead to operational disruptions, increased support costs, and potential cascading effects on network infrastructure. While the vulnerability does not allow remote code execution or data compromise, the loss of availability can be critical for organizations with high dependency on Squid proxies for traffic management and security filtering.

To mitigate CVE-2026-33526, organizations should upgrade all Squid deployments to version 7.5 or later, where the vulnerability is patched. If immediate upgrade is not feasible, consider disabling ICP support by setting the icp_port to zero, effectively preventing the vulnerable code path from being triggered. Network-level controls such as firewall rules should be implemented to restrict access to the ICP port only to trusted internal hosts, minimizing exposure to external attackers. Monitoring Squid logs for unusual ICP traffic patterns can help detect exploitation attempts. Since icp_access rules do not prevent exploitation, relying solely on these is insufficient. Additionally, organizations should review and harden their proxy configurations to limit unnecessary services and protocols. Regular vulnerability scanning and patch management processes should be enforced to ensure timely updates. Finally, consider deploying network intrusion detection systems capable of identifying malformed ICP packets indicative of exploitation attempts.