Two high-severity denial-of-service vulnerabilities (CVE-2026-32748 and CVE-2026-33526, CVSS 7.5) in Squid affect versions prior to 7.5, triggered by crafted ICP traffic including a heap use-after-free condition. The fixed version is Squid 7.5, which Red Hat has backported for its Enterprise Linux 10.0 EUS distributions. IT professionals should prioritize patching affected Squid proxy servers to mitigate these DoS risks.
Red Hat Product Errata RHSA-2026:11901 - Security Advisory Issued: 2026-04-29 Updated: 2026-04-29 RHSA-2026:11901 - Security Advisory Overview Updated Packages Synopsis Important: squid security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for squid is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects. Security Fix(es): squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526) Squid: Squid: Denial of Service via crafted ICP traffic (CVE-2026-32748) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2451574 - CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling BZ - 2451577 - CVE-2026-32748 Squid: Squid: Denial of Service via crafted ICP traffic CVEs CVE-2026-32748 CVE-2026-33526 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM squid-6.10-5.el10_0.2.src.rpm SHA-256: 30d72cc6124a00b3faa0756e6f418492cd1c04ca451c9cbdbeee39568b6d1ae5 x86_64 squid-6.10-5.el10_0.2.x86_64.rpm SHA-256: fbadf88dd7f5bc58c5fe0395f655ffbb16956f9816130f2a93f8c745f5500134 squid-debuginfo-6.10-5.el10_0.2.x86_64.rpm SHA-256: 7271562363182d6400e2ce01d7166cf06554857a76c73777e53832e9da8dc375 squid-debugsource-6.10-5.el10_0.2.x86_64.rpm SHA-256: 5af1335d5bfe652d4ac0ac32ed6d1d90442b10dfccc7be735959269ff826d343 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM squid-6.10-5.el10_0.2.src.rpm SHA-256: 30d72cc6124a00b3faa0756e6f418492cd1c04ca451c9cbdbeee39568b6d1ae5 s390x squid-6.10-5.el10_0.2.s390x.rpm SHA-256: 26e321493eb4d1e4c68aaaeccca1ae9ef80a38192e41a10188a12f2c6de1c787 squid-debuginfo-6.10-5.el10_0.2.s390x.rpm SHA-256: 7fac387a7025938925ec89631ae0daf676a85b2752ff00606d0a0583577d8add squid-debugsource-6.10-5.el10_0.2.s390x.rpm SHA-256: 7f7047a1fcce762e684698c4846ccae9f938083e61e0690c6c0aacf8cb5d0227 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM squid-6.10-5.el10_0.2.src.rpm SHA-256: 30d72cc6124a00b3faa0756e6f418492cd1c04ca451c9cbdbeee39568b6d1ae5 ppc64le squid-6.10-5.el10_0.2.ppc64le.rpm SHA-256: 50fc9247f48a9c1223b2c15c0e0be5477cca62667db18024c93fa26c0950bed7 squid-debuginfo-6.10-5.el10_0.2.ppc64le.rpm SHA-256: f7cc4de59c6d21399ec006deef8cfa1cf5a6b9fdebacdef42c518243b508bbd7 squid-debugsource-6.10-5.el10_0.2.ppc64le.rpm SHA-256: 9fa8a343f89557def161d93c82a2f71227b06b6a312cfc581365b358123f292a Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM squid-6.10-5.el10_0.2.src.rpm SHA-256: 30d72cc6124a00b3faa0756e6f418492cd1c04ca451c9cbdbeee39568b6d1ae5 aarch64 squid-6.10-5.el10_0.2.aarch64.rpm SHA-256: f617afed2e526d3a871d567cea89b54f65a49ced85099ee1a9fbd0611abdcf98 squid-debuginfo-6.10-5.el10_0.2.aarch64.rpm SHA-256: 357a2616189b8e555ca1f9864c5ea5cf826eca8f301f73b232479979ee8648a8 squid-debugsource-6.10-5.el10_0.2.aarch64.rpm SHA-256: 460007d0b8c2f65f59aebb0a30aa5a391537b05a5fc27b58be9a387b2afc1835 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM squid-6.10-5.el10_0.2.src.rpm SHA-256: 30d72cc6124a00b3faa0756e6f418492cd1c04ca451c9cbdbeee39568b6d1ae5 aarch64 squid-6.10-5.el10_0.2.aarch64.rpm SHA-256: f617afed2e526d3a871d567cea89b54f65a49ced85099ee1a9fbd0611abdcf98 squid-debuginfo-6.10-5.el10_0.2.aarch64.rpm SHA-256: 357a2616189b8e555ca1f9864c5ea5cf826eca8f301f73b232479979ee8648a8 squid-debugsource-6.10-5.el10_0.2.aarch64.rpm SHA-256: 460007d0b8c2f65f59aebb0a30aa5a391537b05a5fc27b58be9a387b2afc1835 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM squid-6.10-5.el10_0.2.src.rpm SHA-256: 30d72cc6124a00b3faa0756e6f418492cd1c04ca451c9cbdbeee39568b6d1ae5 s390x squid-6.10-5.el10_0.2.s390x.rpm SHA-256: 26e321493eb4d1e4c68aaaeccca1ae9ef80a38192e41a10188a12f2c6de1c787 squid-debuginfo-6.10-5.el10_0.2.s390x.rpm SHA-256: 7fac387a7025938925ec89631ae0daf676a85b2752ff00606d0a0583577d8add squid-debugsource-6.10-5.el10_0.2.s390x.rpm SHA-256: 7f7047a1fcce762e684698c4846ccae9f938083e61e0690c6c0aacf8cb5d0227 Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM squid-6.10-5.el10_0.2.src.rpm SHA-256: 30d72cc6124a00b3faa0756e6f418492cd1c04ca451c9cbdbeee39568b6d1ae5 ppc64le squid-6.10-5.el10_0.2.ppc64le.rpm SHA-256: 50fc9247f48a9c1223b2c15c0e0be5477cca62667db18024c93fa26c0950bed7 squid-debuginfo-6.10-5.el10_0.2.ppc64le.rpm SHA-256: f7cc4de59c6d21399ec006deef8cfa1cf5a6b9fdebacdef42c518243b508bbd7 squid-debugsource-6.10-5.el10_0.2.ppc64le.rpm SHA-256: 9fa8a343f89557def161d93c82a2f71227b06b6a312cfc581365b358123f292a Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 SRPM squid-6.10-5.el10_0.2.src.rpm SHA-256: 30d72cc6124a00b3faa0756e6f418492cd1c04ca451c9cbdbeee39568b6d1ae5 x86_64 squid-6.10-5.el10_0.2.x86_64.rpm SHA-256: fbadf88dd7f5bc58c5fe0395f655ffbb16956f9816130f2a93f8c745f5500134 squid-debuginfo-6.10-5.el10_0.2.x86_64.rpm SHA-256: 7271562363182d6400e2ce01d7166cf06554857a76c73777e53832e9da8dc375 squid-debugsource-6.10-5.el10_0.2.x86_64.rpm SHA-256: 5af1335d5bfe652d4ac0ac32ed6d1d90442b10dfccc7be735959269ff826d343 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .