Skip to main content

Squirrel CVE-2026-8258

| EUVDEUVD-2026-29014 LOW
Stack-based Buffer Overflow (CWE-121)
2026-05-11 VulDB GHSA-fff5-x34w-4v72
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 11, 2026 - 02:22 NVD
MEDIUM LOW
CVSS changed
May 11, 2026 - 02:22 NVD
5.3 (MEDIUM) 1.9 (LOW)
Analysis Generated
May 11, 2026 - 02:00 vuln.today
CVE Published
May 11, 2026 - 00:45 nvd
MEDIUM 5.3

DescriptionCVE.org

A flaw has been found in Squirrel up to 3.2. Impacted is the function validate_format in the library sqstdlib/sqstdstring.cpp. Executing a manipulation can lead to stack-based buffer overflow. The attack can only be executed locally. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Stack-based buffer overflow in Squirrel up to version 3.2 within the validate_format function of sqstdlib/sqstdstring.cpp allows local authenticated attackers to corrupt stack memory, potentially achieving code execution or denial of service. Public exploit code is available, and the vulnerability has been reported to the project with no vendor response documented at time of analysis.

Technical ContextAI

Squirrel is a lightweight scripting language. The vulnerability exists in the standard library string validation function validate_format, which performs unsafe memory operations (likely memcpy-based) without proper bounds checking. CWE-121 (Stack-based Buffer Overflow) indicates the flaw occurs when the function writes data beyond allocated stack buffer boundaries, potentially overwriting return addresses, stack canaries, or local variables. The affected code path is in sqstdlib/sqstdstring.cpp, part of Squirrel's standard library implementation that handles string format operations.

RemediationAI

Primary remediation: upgrade Squirrel to a version later than 3.2 once released with the fix (vendor advisory not yet available). Immediate workaround if upgrade is not feasible: disable or restrict use of the validate_format function in string library operations, or implement input validation and length checks before passing untrusted data to format operations. If Squirrel is embedded in an application, restrict script execution context to non-privileged accounts and use OS-level sandboxing (e.g., containers, seccomp filters) to limit impact of potential code execution. Monitor the official Squirrel GitHub repository (https://github.com/albertodemichelis/squirrel) and issue #325 for patch announcements. Note that workarounds may break legitimate string formatting functionality and should be evaluated for compatibility.

Share

CVE-2026-8258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy