Due to heap Use-After-Free
bug Squid is vulnerable to Denial of Service when handling
ICP traffic.
Severity:
This problem allows a remote attacker to perform
a reliable and repeatable Denial of Service attack against the
Squid service using ICP protocol.
This attack is limited to Squid deployments that explicitly
enable ICP support (i.e. configure non-zero icp_port).
This problem cannot be mitigated by denying ICP queries
using icp_access rules.
Updated Packages
These bugs were fixed in Squid version 7.5.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 7:
8a7d42f
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
Determining if your version is vulnerable
Run the following command to identify whether your Squid
has been configured with ICP enabled:
squid -k parse 2>&1 | grep -E "(icp|udp)_port" | tail -n1
All Squid configured with port 0 are not vulnerable.
All Squid-3.0 up to and including 7.4 configured with
a non-zero port should be assumed to be vulnerable.
All Squid-3.2 up to and including 7.4 configured without
any port value can be assumed to be not vulnerable.
Workaround
Either,
- Do not enable ICP support,
Or,
- explicitly disable ICP using
icp_port 0.
Warning: These problems cannot be mitigated by denying ICP
queries using icp_access rules.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is
your primary support point. For subscription details see
https://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits
Discovered by:
Fixed by:
- Joshua Rogers with ZeroPath
Revision history:
2025-09-07 20:22 EDT Report of the first set of vulnerabilities
2026-01-26 08:48 EDT Report of additional vulnerabilities
2026-02-10 19:58:49 UTC official fixes in master branch
END
manizada Reporter
MegaManSec Reporter
Due to heap Use-After-Free
bug Squid is vulnerable to Denial of Service when handling
ICP traffic.
Severity:
This problem allows a remote attacker to perform
a reliable and repeatable Denial of Service attack against the
Squid service using ICP protocol.
This attack is limited to Squid deployments that explicitly
enable ICP support (i.e. configure non-zero
icp_port).This problem cannot be mitigated by denying ICP queries
using
icp_accessrules.Updated Packages
These bugs were fixed in Squid version 7.5.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 7:
8a7d42f
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
Determining if your version is vulnerable
Run the following command to identify whether your Squid
has been configured with ICP enabled:
squid -k parse 2>&1 | grep -E "(icp|udp)_port" | tail -n1All Squid configured with port 0 are not vulnerable.
All Squid-3.0 up to and including 7.4 configured with
a non-zero port should be assumed to be vulnerable.
All Squid-3.2 up to and including 7.4 configured without
any port value can be assumed to be not vulnerable.
Workaround
Either,
Or,
icp_port 0.Warning: These problems cannot be mitigated by denying ICP
queries using
icp_accessrules.Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is
your primary support point. For subscription details see
https://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits
Discovered by:
Fixed by:
Revision history:
2025-09-07 20:22 EDT Report of the first set of vulnerabilities
2026-01-26 08:48 EDT Report of additional vulnerabilities
2026-02-10 19:58:49 UTC official fixes in master branch
END