Two heap-based vulnerabilities in Squid's ICP handling, CVE-2026-32748 and CVE-2026-33526 (both CVSS 7.5 High), allow remote attackers to cause a denial of service via crafted ICP traffic and a use-after-free condition. The vulnerabilities affect Squid versions prior to 7.5. The fix requires upgrading Squid to version 7.5.
Red Hat Product Errata RHSA-2026:8880 - Security Advisory Issued: 2026-04-20 Updated: 2026-04-20 RHSA-2026:8880 - Security Advisory Overview Updated Packages Synopsis Important: squid security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for squid is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects. Security Fix(es): squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526) Squid: Squid: Denial of Service via crafted ICP traffic (CVE-2026-32748) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64 Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le Fixes BZ - 2451574 - CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling BZ - 2451577 - CVE-2026-32748 Squid: Squid: Denial of Service via crafted ICP traffic CVEs CVE-2026-32748 CVE-2026-33526 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 SRPM squid-3.5.20-17.el7_9.16.src.rpm SHA-256: 93db794369fb6b518f444fc4ea7704f08e8e0043dced2ab91f46a7a291ff598c x86_64 squid-3.5.20-17.el7_9.16.x86_64.rpm SHA-256: dff9db26ad9f41785c93e91a459021b90f944be5610b4e689e238fac0a95b252 squid-debuginfo-3.5.20-17.el7_9.16.x86_64.rpm SHA-256: 404143d727cab63324700b531638d43b71bdacdb40e446c421e707efb6f56d27 squid-debuginfo-3.5.20-17.el7_9.16.x86_64.rpm SHA-256: 404143d727cab63324700b531638d43b71bdacdb40e446c421e707efb6f56d27 squid-migration-script-3.5.20-17.el7_9.16.x86_64.rpm SHA-256: 7ea9e4313cbc73cc348132f87bb3f14aecc6ab852baea9648380964ffbcfbc8c squid-sysvinit-3.5.20-17.el7_9.16.x86_64.rpm SHA-256: 11f1d4c3273218010778ee74d301c358e713a4b22d9baf8337a115fdb2176ce7 Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 SRPM squid-3.5.20-17.el7_9.16.src.rpm SHA-256: 93db794369fb6b518f444fc4ea7704f08e8e0043dced2ab91f46a7a291ff598c s390x squid-3.5.20-17.el7_9.16.s390x.rpm SHA-256: baf4fb70cd3dae8b183feeb7cb2d138ffd197103e5f2fd85ac3a598f6102e0a5 squid-debuginfo-3.5.20-17.el7_9.16.s390x.rpm SHA-256: 4f6f032b87e636b8832c5b7e5d4d1f97e0ca9f0519eec6cb0afc05bd7ad47ac4 squid-debuginfo-3.5.20-17.el7_9.16.s390x.rpm SHA-256: 4f6f032b87e636b8832c5b7e5d4d1f97e0ca9f0519eec6cb0afc05bd7ad47ac4 squid-migration-script-3.5.20-17.el7_9.16.s390x.rpm SHA-256: e105703d200086aa757df95da257abb9e34ea6cf0c4c6c9f2979eae3ed4ae8d9 squid-sysvinit-3.5.20-17.el7_9.16.s390x.rpm SHA-256: 49a2fa0d65a893f92cf793f435610d9e49c7444a4652df7cb818e468d4c11ea1 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 SRPM squid-3.5.20-17.el7_9.16.src.rpm SHA-256: 93db794369fb6b518f444fc4ea7704f08e8e0043dced2ab91f46a7a291ff598c ppc64 squid-3.5.20-17.el7_9.16.ppc64.rpm SHA-256: 9737e70506188e3ca960e2713aa491d535795821e4b081733bdf3d32be02b860 squid-debuginfo-3.5.20-17.el7_9.16.ppc64.rpm SHA-256: b8ddecfc8d155e4c13b2e3722503e89ddd42eec8a47259654795ba30a38d5698 squid-debuginfo-3.5.20-17.el7_9.16.ppc64.rpm SHA-256: b8ddecfc8d155e4c13b2e3722503e89ddd42eec8a47259654795ba30a38d5698 squid-migration-script-3.5.20-17.el7_9.16.ppc64.rpm SHA-256: abc36875a2f79a8fc46ee99636e3dc5946d70a876d2f03426cb0cd543b4b9f39 squid-sysvinit-3.5.20-17.el7_9.16.ppc64.rpm SHA-256: 07c55c1a899b90c30fab47857ece7eead455b296b01700d38f390fb7c7b29e56 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 SRPM squid-3.5.20-17.el7_9.16.src.rpm SHA-256: 93db794369fb6b518f444fc4ea7704f08e8e0043dced2ab91f46a7a291ff598c ppc64le squid-3.5.20-17.el7_9.16.ppc64le.rpm SHA-256: efcca34dfdacd0ac67c492d4aca362f1f443fe0eeab41acbf2086ca32004bcc9 squid-debuginfo-3.5.20-17.el7_9.16.ppc64le.rpm SHA-256: c4fb61807e5b7f49dbb0e213939d24e6f957e3ff668fc9b2cff3ae462a3e84d2 squid-debuginfo-3.5.20-17.el7_9.16.ppc64le.rpm SHA-256: c4fb61807e5b7f49dbb0e213939d24e6f957e3ff668fc9b2cff3ae462a3e84d2 squid-migration-script-3.5.20-17.el7_9.16.ppc64le.rpm SHA-256: 9da75eb2bf56425e4d4bbc46eaf26325525a6106d18ec624f251b94fa5c2a38a squid-sysvinit-3.5.20-17.el7_9.16.ppc64le.rpm SHA-256: 1fcb1e997a944719677d1ff158f5681cf77b2b67f7b76dc12acbad04765f17b6 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .