First published: Thu Jul 28 2022(Updated: )
sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Squirrel-lang Squirrel | <=2.2.5 | |
Squirrel-lang Squirrel | >=3.0<=3.1 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41556 is a vulnerability in Squirrel through 2.2.5 and 3.x through 3.1 that allows an out-of-bounds read in the core interpreter, leading to potential code execution.
CVE-2021-41556 has a severity value of 10, which is classified as critical.
Squirrel versions 2.2.5 and 3.x through 3.1 are affected by CVE-2021-41556.
An attacker can exploit CVE-2021-41556 by executing a squirrel script under their control and breaking out of the squirrel script sandbox.
To fix CVE-2021-41556, it is recommended to update Squirrel to a patched version. Check the official Squirrel-lang website for available downloads and apply the necessary updates.