An out-of-bounds read vulnerability in the Squirrel programming language has been discovered by researchers on August 20,2021. This can be abused by attackers to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM giving a malicious actor complete access to the underlying machine.
Tracked as CVE-2021-41556, occurs when a game library referred to as Squirrel Engine is used to execute untrusted code.
Squirrel is an open-source, object-oriented programming language that’s used for scripting video games and as well as in IoT devices and distributed transaction processing platforms such as Enduro/X.
The identified security flaw concerns an “out-of-bounds access via index confusion” when defining Squirrel classes that could be exploited to hijack the control flow of a program and gain full control of the Squirrel VM.
While the issue has been addressed as part of a code commit pushed on September 16, however the changes have not been included in a new stable release, with the last official version (v3.1) released on March 27, 2016. Maintainers who depend on Squirrel in their projects are highly recommended to apply the latest fixes by rebuilding it from source code in order to protect against any attacks.