CVE-2026-3388

Name	CVE-2026-3388
Description	A vulnerability was found in Squirrel up to 3.2. This affects the function SQCompiler::Factor/SQCompiler::UnaryOP of the file squirrel/sqcompiler.cpp. Performing a manipulation results in uncontrolled recursion. The attack needs to be approached locally. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1130873

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
squirrel3 (PTS)	bullseye	3.1-8	vulnerable
	trixie	3.1-8.2	vulnerable
	forky, sid	3.1-8.3	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
squirrel3	source	(unstable)	(unfixed)			1130873

Notes

[trixie] - squirrel3 <no-dsa> (Minor issue)
[bullseye] - squirrel3 <postponed> (Minor issue; can be fixed in next update)
https://github.com/albertodemichelis/squirrel/issues/312