CVE-2026-8261 - Vulnerability Details

- Squirrel sqobject.cpp Load heap-based overflow

Description

A vulnerability was determined in Squirrel up to 3.2. This affects the function SQFunctionProto::Load of the file squirrel/sqobject.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-05-11

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the SQFunctionProto::Load routine within squirrel/sqobject.cpp and triggers a heap‑based buffer overflow when handling certain input. The flaw is a classic out‑of‑bounds write (CWE‑119, CWE‑122) that can corrupt memory and potentially lead to arbitrary code execution or process crash, but only within the context of the running process. The impact is therefore confined to local execution on a system where the Squirrel interpreter is run, and it does not expose directly any network‑accessible attack surface.

Affected Systems

All versions of the Squirrel project up to and including 3.2 are affected. Users running the base interpreter or any applications that embed Squirrel 3.2 or earlier should consider themselves vulnerable, as the flaw lies in the core function that loads prototype information.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, reflecting that the vulnerability requires local privilege and does not grant widespread network damage. The EPSS score is not available but the lack of a KEV listing suggests that there are no widespread exploitation reports yet. However, the vulnerability has been publicly disclosed and is available in proof‑of‑concept repositories, meaning a local attacker who can run code in the context of the Squirrel interpreter could exploit it with the known input vectors.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Squirrel

affected

Version	Status	Constraints
`3.0`	affected	—
`3.1`	affected	—
`3.2`	affected	—

No data.

Vendor Product Confidence Versions

Albertodemichelis

Squirrel

90%

Version	Status	Scheme	Platform
`3.0`	affected	generic	—
`3.1`	affected	generic	—
`3.2`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Squirrel engine to version 3.3 or later once the vendor releases a fix.
If an upgrade is not immediately possible, strictly restrict local user access to the Squirrel interpreter to trusted administrators only.
Keep all input data sanitized and avoid loading untrusted prototype definitions when possible.
Monitor system logs for abnormal heap or security crashes that could indicate exploitation attempts.

Generated by OpenCVE AI on May 11, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/albertodemichelis/squirrel/issues/326
https://github.com/biniamf/pocs/tree/main/squirrel-sqobject-functionproto-load-intovf-lineinfos
https://vuldb.com/submit/809904
https://vuldb.com/vuln/362558
https://vuldb.com/vuln/362558/cti

History

Mon, 11 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Albertodemichelis Albertodemichelis squirrel
Vendors & Products		Albertodemichelis Albertodemichelis squirrel

Mon, 11 May 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in Squirrel up to 3.2. This affects the function SQFunctionProto::Load of the file squirrel/sqobject.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Title		Squirrel sqobject.cpp Load heap-based overflow
Weaknesses		CWE-119 CWE-122
References		https://github.com/albertodemichelis/squirrel/issues/326 https://github.com/biniamf/pocs/tree/main/squirrel-sqobject-functionproto-load-intovf-lineinfos https://vuldb.com/submit/809904 https://vuldb.com/vuln/362558 https://vuldb.com/vuln/362558/cti
Metrics		cvssV2_0 `{'score': 4.6, 'vector': 'AV:L/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.9, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Albertodemichelis Squirrel

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-11T01:30:11.394Z

Updated: 2026-05-11T14:26:06.632Z

Reserved: 2026-05-10T15:23:11.668Z

Link: CVE-2026-8261

Vulnrichment

Updated: 2026-05-11T14:24:55.622Z

NVD

Status : Received

Published: 2026-05-11T02:16:27.750

Modified: 2026-05-11T02:16:27.750

Link: CVE-2026-8261

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T03:30:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object