CVE-2026-3389

Name	CVE-2026-3389
Description	A vulnerability was determined in Squirrel up to 3.2. This vulnerability affects the function sqstd_rex_newnode in the library sqstdlib/sqstdrex.cpp. Executing a manipulation can lead to null pointer dereference. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1130874

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
squirrel3 (PTS)	bullseye	3.1-8	vulnerable
	trixie	3.1-8.2	vulnerable
	forky, sid	3.1-8.3	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
squirrel3	source	(unstable)	(unfixed)			1130874

Notes

[trixie] - squirrel3 <no-dsa> (Minor issue)
[bullseye] - squirrel3 <postponed> (Minor issue; can be fixed in next update)
https://github.com/albertodemichelis/squirrel/issues/314