Two high-severity denial-of-service vulnerabilities (CVE-2026-32748 and CVE-2026-33526, CVSS 7.5) affect Squid proxy servers via crafted ICP traffic, with one exploiting a heap use-after-free flaw. The NVD data indicates these vulnerabilities affect all Squid versions prior to 7.5. The fix requires upgrading to Squid version 7.5.
Red Hat Product Errata RHSA-2026:10256 - Security Advisory Issued: 2026-04-23 Updated: 2026-04-23 RHSA-2026:10256 - Security Advisory Overview Updated Packages Synopsis Important: squid security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for squid is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects. Security Fix(es): squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526) Squid: Squid: Denial of Service via crafted ICP traffic (CVE-2026-32748) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x Fixes BZ - 2451574 - CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling BZ - 2451577 - CVE-2026-32748 Squid: Squid: Denial of Service via crafted ICP traffic CVEs CVE-2026-32748 CVE-2026-33526 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 SRPM squid-5.2-1.el9_0.10.src.rpm SHA-256: cf6ffb95d57b4dd3b87ee43b10cdcce89c1ed2ee370d9743e131ad04671d473d ppc64le squid-5.2-1.el9_0.10.ppc64le.rpm SHA-256: e196ba8a2f064d1d935e863eff2cb2d416d504081117140789e1c1ba9b62da06 squid-debuginfo-5.2-1.el9_0.10.ppc64le.rpm SHA-256: 6cb039ae2d89976662d20c59722a81ed6e876460eb1dabac019bfcc4b415f7ed squid-debugsource-5.2-1.el9_0.10.ppc64le.rpm SHA-256: ff514e6bb1cd0a2b37ea5809f09176dc025fcb839a387e64d27a240bb0465213 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 SRPM squid-5.2-1.el9_0.10.src.rpm SHA-256: cf6ffb95d57b4dd3b87ee43b10cdcce89c1ed2ee370d9743e131ad04671d473d x86_64 squid-5.2-1.el9_0.10.x86_64.rpm SHA-256: 6262d963ab68d34759073fba35cff0b48459539bffc942164c1dc2b16bb81b0d squid-debuginfo-5.2-1.el9_0.10.x86_64.rpm SHA-256: ed01cb97c8032bb53bf50ce9444089f8ea209dae3ac2a0086a0e7483ef141bc7 squid-debugsource-5.2-1.el9_0.10.x86_64.rpm SHA-256: d58204498022349bdf4516005988fc8fe390fd961da1c338812cf7c0a65e479a Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 SRPM squid-5.2-1.el9_0.10.src.rpm SHA-256: cf6ffb95d57b4dd3b87ee43b10cdcce89c1ed2ee370d9743e131ad04671d473d aarch64 squid-5.2-1.el9_0.10.aarch64.rpm SHA-256: 2b845e0757a134608705bad83d2b9b5ed968c1ee265aff9ea6d98b904cca6d7b squid-debuginfo-5.2-1.el9_0.10.aarch64.rpm SHA-256: 35a150a0d8476860b549d4557d3ab4c9ec346d762cd11fb5888bdc93b1f178ea squid-debugsource-5.2-1.el9_0.10.aarch64.rpm SHA-256: b007b4f6efa8509bab7ac586e949f79eb85ef49d2f20f4143712474f7aac9455 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 SRPM squid-5.2-1.el9_0.10.src.rpm SHA-256: cf6ffb95d57b4dd3b87ee43b10cdcce89c1ed2ee370d9743e131ad04671d473d s390x squid-5.2-1.el9_0.10.s390x.rpm SHA-256: 239dd75bf1fccd3d32c7394acf27dc14505c2f678c53327526ccf735c7026a8c squid-debuginfo-5.2-1.el9_0.10.s390x.rpm SHA-256: b23cd4cfc1773d1c0fa79ca1e5c36726f03d61fce6c0402a3599027e345cfb19 squid-debugsource-5.2-1.el9_0.10.s390x.rpm SHA-256: 453bd5f792314479a545dbe1fd86e9f58a7b9c77e50d51fd694c98c2d52e84fd The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .