Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was determined in Squirrel up to 3.2. This affects the function SQFunctionProto::Load of the file squirrel/sqobject.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Heap-based buffer overflow in Squirrel up to version 3.2 within the SQFunctionProto::Load function allows local attackers to cause memory corruption with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists for this vulnerability, and the vulnerability exhibits low CVSS score (2.0) due to local-only attack vector and minimal scope, though the disclosure and POC availability increase practical risk for embedded and scripting environments using Squirrel.
Technical ContextAI
Squirrel is a lightweight scripting language commonly embedded in applications. The vulnerability resides in squirrel/sqobject.cpp within the SQFunctionProto::Load function, which handles deserialization or loading of function prototype objects. The heap-based buffer overflow (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) occurs when this function processes untrusted input without proper bounds checking, allowing crafted data to overflow heap-allocated structures. The CVSS vector (AV:L/AC:L/AT:N/PR:N/UI:N) indicates local execution requirement with no special access privileges or user interaction needed, suggesting the vulnerability can be triggered through local file manipulation or local script execution within applications embedding Squirrel.
RemediationAI
Upgrade Squirrel to a version later than 3.2 once available from the upstream project. As of this analysis, the project albertodemichelis/squirrel has been informed via issue #326 but has not yet released a patch. Monitor https://github.com/albertodemichelis/squirrel/releases for updates. As immediate compensating controls: restrict local access to systems running Squirrel applications to trusted users only; disable or sandbox Squirrel script execution for untrusted sources; implement strict input validation on any externally-sourced Squirrel bytecode or function prototypes before loading; consider disabling dynamic function loading if not required by your application's functionality. These controls mitigate local attack surface but do not address the underlying memory safety issue.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29017
GHSA-r4m3-922m-v5vr