Skip to main content

Squirrel CVE-2026-8261

| EUVDEUVD-2026-29017 LOW
Buffer Overflow (CWE-119)
2026-05-11 cna@vuldb.com GHSA-r4m3-922m-v5vr
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 02:30 vuln.today
CVE Published
May 11, 2026 - 02:16 nvd
LOW 2.0

DescriptionCVE.org

A vulnerability was determined in Squirrel up to 3.2. This affects the function SQFunctionProto::Load of the file squirrel/sqobject.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Heap-based buffer overflow in Squirrel up to version 3.2 within the SQFunctionProto::Load function allows local attackers to cause memory corruption with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists for this vulnerability, and the vulnerability exhibits low CVSS score (2.0) due to local-only attack vector and minimal scope, though the disclosure and POC availability increase practical risk for embedded and scripting environments using Squirrel.

Technical ContextAI

Squirrel is a lightweight scripting language commonly embedded in applications. The vulnerability resides in squirrel/sqobject.cpp within the SQFunctionProto::Load function, which handles deserialization or loading of function prototype objects. The heap-based buffer overflow (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) occurs when this function processes untrusted input without proper bounds checking, allowing crafted data to overflow heap-allocated structures. The CVSS vector (AV:L/AC:L/AT:N/PR:N/UI:N) indicates local execution requirement with no special access privileges or user interaction needed, suggesting the vulnerability can be triggered through local file manipulation or local script execution within applications embedding Squirrel.

RemediationAI

Upgrade Squirrel to a version later than 3.2 once available from the upstream project. As of this analysis, the project albertodemichelis/squirrel has been informed via issue #326 but has not yet released a patch. Monitor https://github.com/albertodemichelis/squirrel/releases for updates. As immediate compensating controls: restrict local access to systems running Squirrel applications to trusted users only; disable or sandbox Squirrel script execution for untrusted sources; implement strict input validation on any externally-sourced Squirrel bytecode or function prototypes before loading; consider disabling dynamic function loading if not required by your application's functionality. These controls mitigate local attack surface but do not address the underlying memory safety issue.

Share

CVE-2026-8261 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy