Description
A security flaw has been discovered in Squirrel up to 3.2. Impacted is the function ReadObject of the file squirrel/sqobject.cpp of the component Cnut File Handler. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the ReadObject function of squirrel/sqobject.cpp within the Cnut File Handler component. A crafted input triggers a heap-based overflow that corrupts memory, potentially leading to arbitrary code execution if an attacker can supply the malicious data. This weakness is formally classified as CWE-119 and CWE-122 and allows compromise of the local system where Squirrel is run.

Affected Systems

Squirrel, all releases up to 3.2 are vulnerable when the Cnut File Handler is enabled. No specific patch is listed in the tracking evidence; the vendor has not yet released a fix.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity. The EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not a proven widespread threat yet. However, the public exploit code is available and the flaw can only be exploited with local access, making it a significant risk in environments where local users are untrusted or where insider threats exist.

Generated by OpenCVE AI on May 26, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether the installed Squirrel version is 3.2 or earlier; if so, consider removing the Cnut File Handler module or deploying the latest stable release if newer versions contain a fix.
  • Restrict local user permissions to prevent execution of the Squirrel binary by non‑trusted accounts.
  • Deploy intrusion detection or log monitoring to watch for unusual memory accesses or execution paths that may indicate exploitation of the overflow.

Generated by OpenCVE AI on May 26, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Squirrel-lang
Squirrel-lang squirrel
CPEs cpe:2.3:a:squirrel-lang:squirrel:*:*:*:*:*:*:*:*
Vendors & Products Squirrel-lang
Squirrel-lang squirrel

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Squirrel up to 3.2. Impacted is the function ReadObject of the file squirrel/sqobject.cpp of the component Cnut File Handler. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title Squirrel Cnut File sqobject.cpp ReadObject heap-based overflow
First Time appeared Squirrel
Squirrel squirrel
Weaknesses CWE-119
CWE-122
CPEs cpe:2.3:a:squirrel:squirrel:*:*:*:*:*:*:*:*
Vendors & Products Squirrel
Squirrel squirrel
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Squirrel Squirrel
Squirrel-lang Squirrel
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T15:18:15.140Z

Reserved: 2026-05-26T05:51:28.774Z

Link: CVE-2026-9541

cve-icon Vulnrichment

Updated: 2026-05-26T15:18:10.013Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T14:16:46.007

Modified: 2026-06-17T11:05:27.840

Link: CVE-2026-9541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:05:16Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-122

    Heap-based Buffer Overflow