Description
A flaw has been found in Squirrel up to 3.2. Impacted is the function validate_format in the library sqstdlib/sqstdstring.cpp. Executing a manipulation can lead to stack-based buffer overflow. The attack can only be executed locally. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-11
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based buffer overflow exists in the validate_format function of Squirrel’s sqstdstring.cpp implementation. The flaw can be triggered by carefully crafted input processed by the library, leading to overwriting the stack and potentially corrupting control data. With the CVSS score of 4.8, the vulnerability presents low‑to‑moderate risk but can cause application crashes or, in the worst case, local code execution if an attacker can influence the input data.

Affected Systems

The vulnerability affects the Squirrel library up to version 3.2. No higher versions are known to contain the flaw, and the project has not yet released a fix. Systems that incorporate Squirrel 3.2 or earlier and allow untrusted input to reach validate_format are at risk.

Risk and Exploitability

According to the description, exploitation is limited to a local context; an attacker must have the ability to run code that uses Squirrel. Exploit code has been publicly published, which indicates that the vulnerability remains available in the wild. Because EPSS is not provided and the vulnerability is not listed in the CISA KEV catalog, the exploitation probability is unclear, but publicly known exploits confirm that the flaw can be used. The CVSS score of 4.8 reflects the low severity and indicates a moderate chance of successful exploitation with local privileges. Monitoring for abuse and applying mitigations are recommended.

Generated by OpenCVE AI on May 11, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Squirrel version that includes fixes for the validate_format buffer overflow, once available from the project maintainers.
  • If an upgrade is not immediately feasible, restrict the privileges and execution context of any processes that load Squirrel, and enable runtime protections such as stack canaries and address space randomization to reduce the risk of successful exploitation.
  • Check for and apply compiler security hardening options (e.g., -fstack-protector, -D_FORTIFY_SOURCE) when building applications that embed Squirrel to enforce runtime checks on buffer operations.

Generated by OpenCVE AI on May 11, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Albertodemichelis
Albertodemichelis squirrel
Vendors & Products Albertodemichelis
Albertodemichelis squirrel

Mon, 11 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Squirrel up to 3.2. Impacted is the function validate_format in the library sqstdlib/sqstdstring.cpp. Executing a manipulation can lead to stack-based buffer overflow. The attack can only be executed locally. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Squirrel sqstdstring.cpp validate_format stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Albertodemichelis Squirrel
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-11T12:49:13.713Z

Reserved: 2026-05-10T15:00:09.852Z

Link: CVE-2026-8258

cve-icon Vulnrichment

Updated: 2026-05-11T12:49:08.275Z

cve-icon NVD

Status : Received

Published: 2026-05-11T02:16:27.250

Modified: 2026-05-11T14:16:33.657

Link: CVE-2026-8258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T02:30:25Z

Weaknesses