VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-9541

CVE-2026-9541

Description

A security flaw has been discovered in Squirrel up to 3.2. Impacted is the function ReadObject of the file squirrel/sqobject.cpp of the component Cnut File Handler. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap buffer overflow in Squirrel's ReadObject allows code execution via crafted .cnut bytecode with negative string length.

Vulnerability

The vulnerability is in Squirrel up to version 3.2, in the function ReadObject within squirrel/sqobject.cpp (commit f9267f2). When parsing OT_STRING elements from a .cnut bytecode file, the function reads a string length as a signed SQInteger and passes it to GetScratchPad() and SafeRead() without validating for negative values. A negative length causes GetScratchPad to return the existing scratchpad buffer (since it only resizes for positive sizes), and then SafeRead passes the negative length to fread, which interprets it as a large unsigned size_t, resulting in a heap buffer overflow. The bug is reachable via sq_static or any embedder using sqstd_loadfile / sq_readclosure [1].

Exploitation

An attacker needs only local access to load a crafted .cnut bytecode file. No authentication or special privileges are required beyond the ability to execute a Squirrel program that loads the malicious bytecode. The attacker provides a bytecode file containing an OT_STRING with a negative length value (e.g., -1). The ReadObject function reads this value and triggers the heap overflow when SafeRead writes beyond the intended buffer, corrupting adjacent heap memory [1]. A proof-of-concept exists and is publicly available [2].

Impact

Successful exploitation leads to a heap-based buffer overflow, which can allow an attacker to overwrite heap metadata or adjacent objects. This can potentially lead to arbitrary code execution within the context of the Squirrel process. The impact is local code execution, with confidentiality, integrity, and availability all potentially compromised depending on the exploit payload [1].

Mitigation

The project was informed of the problem but has not yet responded (as of the advisory date). No official patch exists for Squirrel 3.2 or earlier; the maintainer has been unresponsive. The vulnerability is not listed in KEV (as of publication). As a mitigation, users should avoid loading .cnut bytecode from untrusted sources. If possible, restrict local file loading permissions to trusted users only. Since no fix is available, upgrading to a future patched version (if released) is recommended [1].

References
  1. Heap buffer overflow in ReadObject via negative string length in crafted bytecode
  2. pocs/squirrel-sqobject-readobject-neg-len-oob at main · biniamf/pocs

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing validation of signed string length in ReadObject allows a negative value to bypass scratchpad resize and cause a heap buffer overflow via fread."

Attack vector

An attacker with local access crafts a `.cnut` bytecode file containing an `OT_STRING` object whose length field is a negative `SQInteger`. When `sq_static` (or any embedder calling `sqstd_loadfile` / `sq_readclosure`) loads this file, `ReadObject()` reads the negative length, calls `GetScratchPad(sq_rsl(len))` which returns the existing small buffer without resizing, then passes the negative length to `SafeRead()`. `SafeRead()` forwards it to `fread()`, which interprets the negative value as a huge unsigned `size_t`, causing a heap buffer overflow by writing subsequent file bytes past the scratchpad boundary [ref_id=1].

Affected code

The vulnerability is in `ReadObject()` in `squirrel/sqobject.cpp` (lines 342–355). The function reads a string length from the bytecode stream as a signed `SQInteger` and passes it to `GetScratchPad()` and `SafeRead()` without rejecting negative values. `GetScratchPad()` in `sqstate.cpp` (lines 374–393) only reallocates when `size > 0`, so a negative length causes it to return the existing undersized buffer.

What the fix does

No patch has been published by the vendor; the project was informed via an issue report but has not responded [ref_id=1]. The reference write-up suggests adding a bounds check in `ReadObject()`: after reading `len` from the stream, reject negative values with `if (len

Preconditions

  • inputAttacker must be able to supply a crafted .cnut bytecode file to the target application
  • configTarget application must call sqstd_loadfile or sq_readclosure on the attacker-supplied file
  • networkAttack requires local access to the system (CVSS AV:L)

Reproduction

1. Obtain the crafted PoC file `poc_heap_oob_readobject.cnut` (referenced in the advisory). 2. Run `sq_static poc_heap_oob_readobject.cnut` on a Squirrel 3.2 build compiled with AddressSanitizer. 3. Observe the ASan heap-buffer-overflow report at `fread` called from `SafeRead` in `ReadObject` [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.