Description
A security flaw has been discovered in Squirrel up to 3.2. This affects the function SQObjectPtr::operator in the library squirrel/sqobject.h. The manipulation results in heap-based buffer overflow. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-18
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap-based Buffer Overflow
Action: Assess Impact
AI Analysis

Impact

The vulnerability originates in the SQObjectPtr::operator function defined in the squirrel/sqobject.h header of the Squirrel programming language. A flaw in how the operator handles internal buffers can cause a heap‑based buffer overflow when the function is invoked, allowing an attacker to corrupt memory or crash the process. The description explicitly notes that exploitation requires local access, but the public release of an exploit enables attackers who can run code within the target environment to trigger the overflow. This flaw is classified as an uncontrolled buffer overflow (CWE‑119) and a heap‑based buffer overflow (CWE‑122).

Affected Systems

Squirrel language distributions up to and including version 3.2 are affected. The vulnerability is not limited to any specific platform; it applies to any build of Squirrel that contains the unpatched squirrel/sqobject.h implementation. The CPE entry confirms the vendor and product but does not narrow the affected release range beyond the stated version limit.

Risk and Exploitability

The CVSS score of 4.8 indicates a low severity assessment under current scoring metrics. EPSS indicates an exploitation probability below 1 %, and the vulnerability is not listed in the CISA KEV catalog. Because the attack vector is local, an attacker must already have the capability to execute code within a Squirrel process or to supply input that is processed by the vulnerable function. Once the overflow is triggered, the attacker could potentially crash the application or manipulate heap data, which could affect application correctness or stability. The public availability of an exploit and the lack of an official vendor patch mean that any vulnerable system remains potentially exploitable by privileged local users.

Generated by OpenCVE AI on April 17, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Squirrel library to the latest version that includes the fix for SQObjectPtr::operator as soon as it becomes available.
  • If an immediate upgrade is not possible, patch the source locally: modify squirrel/sqobject.h to perform bounds checking on buffer accesses before they occur, then recompile the library.
  • Deploy the patched or upgraded library only to servers that host trusted or sandboxed code, minimizing the impact of any accidental exploitation.
  • Continuously monitor application logs for abnormal crashes or memory corruption events that could indicate an attempted exploitation of the heap overflow.

Generated by OpenCVE AI on April 17, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Squirrel-lang
Squirrel-lang squirrel
CPEs cpe:2.3:a:squirrel-lang:squirrel:*:*:*:*:*:*:*:*
Vendors & Products Squirrel-lang
Squirrel-lang squirrel

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Albertodemichelis
Albertodemichelis squirrel
Vendors & Products Albertodemichelis
Albertodemichelis squirrel

Wed, 18 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Squirrel up to 3.2. This affects the function SQObjectPtr::operator in the library squirrel/sqobject.h. The manipulation results in heap-based buffer overflow. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title Squirrel sqobject.h operator heap-based overflow
Weaknesses CWE-119
CWE-122
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Albertodemichelis Squirrel
Squirrel-lang Squirrel
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:18:59.149Z

Reserved: 2026-02-18T07:31:01.293Z

Link: CVE-2026-2661

cve-icon Vulnrichment

Updated: 2026-02-18T19:50:37.669Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T20:18:36.377

Modified: 2026-02-20T20:04:11.593

Link: CVE-2026-2661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses