Red Hat Product Security has released an advisory for two denial of service vulnerabilities in Squid, a high-performance proxy caching server. The first vulnerability (CVE-2026-33526) is a heap use-after-free issue in ICP handling, and the second (CVE-2026-32748) involves denial of service via crafted ICP traffic. These vulnerabilities affect Red Hat Enterprise Linux 10 and its variants across multiple hardware architectures. The advisory (RHSA-2026:8119) provides updated Squid packages to fix these issues. The vulnerabilities are categorized under CWE-825 and CWE-826, relating to use-after-free and improper access control. No CVSS scores are provided, but Red Hat rates the security impact as important. There are no known exploits in the wild, and the vendor recommends applying the provided updates.

The vulnerabilities can cause denial of service conditions in Squid proxy servers by exploiting flaws in ICP message handling, potentially disrupting proxy services. The impact is limited to service availability degradation rather than remote code execution or data compromise. Red Hat classifies the security impact as important, indicating a significant but not critical threat. No active exploitation has been reported.

Red Hat has released updated Squid packages for Red Hat Enterprise Linux 10 and its variants to address these vulnerabilities. Users should apply the security update as described in Red Hat advisory RHSA-2026:8119 and the referenced article https://access.redhat.com/articles/11258. Since this is not a cloud service, remediation depends on applying these patches to affected systems. There are no indications that no action is required or that the issue is already mitigated without patching.