This security update addresses two high-severity Denial of Service vulnerabilities (CVE-2026-32748 and CVE-2026-33526, CVSS 7.5) in the Squid proxy server, triggered by crafted ICP traffic including a heap use-after-free condition. The vulnerabilities affect Squid versions prior to 7.5, and the fix requires upgrading to Squid version 7.5.
Red Hat Product Errata RHSA-2026:20564 - Security Advisory Issued: 2026-05-26 Updated: 2026-05-26 RHSA-2026:20564 - Security Advisory Overview Updated Packages Synopsis Important: squid:4 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects. Security Fix(es): squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526) Squid: Squid: Denial of Service via crafted ICP traffic (CVE-2026-32748) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64 Red Hat Enterprise Linux Server - AUS 8.4 x86_64 Fixes BZ - 2451574 - CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling BZ - 2451577 - CVE-2026-32748 Squid: Squid: Denial of Service via crafted ICP traffic CVEs CVE-2026-32748 CVE-2026-33526 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 SRPM libecap-1.0.1-2.module+el8.1.0+4044+36416a77.src.rpm SHA-256: 2f43b6316609e9a09ecea6e01089d7d886d0024c1eae28f1c31d87670992f7ff squid-4.11-4.module+el8.4.0+24287+ae9ea41b.11.src.rpm SHA-256: 277a784dcebae9b05a661ec527976a0f8a913e804d3a517c0f1c4f23c3d1ef9c x86_64 libecap-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: d9d61e2135b220b3d61ae42ef3168afe872f28e6ba90ec1e7c12f99ee0cd09bf libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: fcf34d948d19d8ceec11c33bfbd410918882c1e2d5f98d317d47f40935a8beca libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: 3a323f9bd1ce4c4fdba3eed2f8c5ab67ef86553708394d3ef6c55c579d339c60 libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: 1b13a8613f81f5551073df17797db405c70acc0e332bbc915d50459e2e7f4530 squid-4.11-4.module+el8.4.0+24287+ae9ea41b.11.x86_64.rpm SHA-256: 1310f6b5783224d7bfb716120903e67ee3115739c869c6f4587fac498ed71ed4 squid-debuginfo-4.11-4.module+el8.4.0+24287+ae9ea41b.11.x86_64.rpm SHA-256: 02e4227e1662a9f4e8018a8481621067f68b5c3215cc7c0d2a8bf255a7307c3a squid-debugsource-4.11-4.module+el8.4.0+24287+ae9ea41b.11.x86_64.rpm SHA-256: 6a6f0174714c4c2083fa949ad95240e1e584bb35bb64f5602734e441d15f1416 Red Hat Enterprise Linux Server - AUS 8.4 SRPM libecap-1.0.1-2.module+el8.1.0+4044+36416a77.src.rpm SHA-256: 2f43b6316609e9a09ecea6e01089d7d886d0024c1eae28f1c31d87670992f7ff squid-4.11-4.module+el8.4.0+24287+ae9ea41b.11.src.rpm SHA-256: 277a784dcebae9b05a661ec527976a0f8a913e804d3a517c0f1c4f23c3d1ef9c x86_64 libecap-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: d9d61e2135b220b3d61ae42ef3168afe872f28e6ba90ec1e7c12f99ee0cd09bf libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: fcf34d948d19d8ceec11c33bfbd410918882c1e2d5f98d317d47f40935a8beca libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: 3a323f9bd1ce4c4fdba3eed2f8c5ab67ef86553708394d3ef6c55c579d339c60 libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm SHA-256: 1b13a8613f81f5551073df17797db405c70acc0e332bbc915d50459e2e7f4530 squid-4.11-4.module+el8.4.0+24287+ae9ea41b.11.x86_64.rpm SHA-256: 1310f6b5783224d7bfb716120903e67ee3115739c869c6f4587fac498ed71ed4 squid-debuginfo-4.11-4.module+el8.4.0+24287+ae9ea41b.11.x86_64.rpm SHA-256: 02e4227e1662a9f4e8018a8481621067f68b5c3215cc7c0d2a8bf255a7307c3a squid-debugsource-4.11-4.module+el8.4.0+24287+ae9ea41b.11.x86_64.rpm SHA-256: 6a6f0174714c4c2083fa949ad95240e1e584bb35bb64f5602734e441d15f1416 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .