cbcvebase.
CVE-2021-41556
published 2022-07-28

CVE-2021-41556: sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim…

PriorityP260critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
2.13%
79.7th percentile
sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiansquirrel3
fedoraprojectfedora
fedoraprojectfedora
squirrel-langsquirrel<= 2.2.5
squirrel-langsquirrel3.0 – 3.1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability resides in sqclass.cpp within the Squirrel interpreter core; monitor for exploitation attempts targeting environments embedding Squirrel Engine (e.g., game engines, cloud customization platforms)
  • Attacker vector is delivery of a malicious SquirrelScript executed by a victim; flag untrusted or externally-sourced .nut/.squirrel script execution in sandboxed environments
  • Abuse scenarios include cloud services with SquirrelScript customization and video games embedding a Squirrel Engine — prioritize detection in those deployment contexts
  • ·Affected versions are Squirrel 2.x through 2.2.5 and 3.x through 3.1; Debian stable (bullseye), testing (trixie/forky), and sid all remain open/unpatched as of tracker data
  • ·Sandbox escape is possible even when dangerous functionality (e.g., File System functions) is explicitly disabled — do not rely solely on feature-restriction as a mitigation

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
osv10.0CRITICAL
vendor_debian10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.