Which versions of SQLite sqldiff are affected by CVE-2025-71316?

SQLite's sqldiff.exe utility on Windows contains a critical arbitrary code execution vulnerability (CVE-2025-71316, CVSS 9.2) exploitable through Unicode-to-ANSI character conversion in command-line…. A patch is available.

Is there a public PoC exploit available for CVE-2025-71316?

Yes, a public proof-of-concept exploit is available for CVE-2025-71316. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-71316?

Within 24 hours: Inventory all Windows systems running SQLite, sqldiff.exe, and applications that invoke this utility. Within 7 days: Apply available vendor patch from SQLite to all identified systems, prioritizing administrative and production infrastructure. Within 30 days: Verify patch deployment across the organization and implement endpoint controls to restrict execution of sqldiff.exe from untrusted sources.

SQLite sqldiff CVE-2025-71316

Q: What is the CVSS score of CVE-2025-71316?

CVE-2025-71316 has a CVSS 4.0 base score of 9.2 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2025-210067 CRITICAL

Improper Handling of Unicode Encoding (CWE-176)

2026-06-04 cisa-cg

GHSA-gxv8-whj6-g59f

RCE Microsoft

9.2

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Jun 04, 2026 - 20:28 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 04, 2026 - 20:28 vuln.today

v2 (cvss_changed)

Severity Changed

Jun 04, 2026 - 20:22 NVD

HIGH CRITICAL

CVSS changed

Jun 04, 2026 - 20:22 NVD

7.3 (HIGH) 9.2 (CRITICAL)

Re-analysis Queued

Jun 04, 2026 - 19:22 vuln.today

cvss_changed

CVSS changed

Jun 04, 2026 - 19:22 NVD

7.8 (HIGH) 7.3 (HIGH)

Analysis Generated

Jun 04, 2026 - 19:22 vuln.today

CVE Published

Jun 04, 2026 - 17:39 nvd

HIGH 7.3

DescriptionNVD

SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options. Fixed on or around 2025-12-26.

AnalysisAI

Arbitrary DLL loading in SQLite's sqldiff.exe utility on Windows allows attackers to achieve code execution by abusing the Microsoft C runtime's Unicode-to-ANSI Best-Fit character conversion. Specially crafted Unicode characters in command-line arguments can be transformed into ASCII characters that sqldiff then parses as the '-L' option, loading an attacker-supplied DLL. Publicly available exploit research (Blackhat EU 2024 'WorstFit' presentation) demonstrates the technique, though no public exploit identified targeting sqldiff specifically and it is not listed in CISA KEV.

Technical ContextAI

sqldiff.exe is a command-line diagnostic tool shipped with SQLite that compares two database files. The root cause maps to CWE-176 (Improper Handling of Unicode Encoding), specifically the Windows GetCommandLineA / CommandLineToArgvA conversion path, which performs Best-Fit (WorstFit) mapping from Unicode codepoints into the active ANSI codepage. Characters such as full-width hyphens or other Unicode 'lookalikes' get silently transliterated into ASCII '-' and letters, so a string that was passed as a benign filename argument can be re-interpreted by the argv parser as the '-L <path>' switch that sqldiff uses to load a shared extension DLL. The affected CPE is cpe:2.3:a:sqlite:sqldiff (all versions prior to the 2025-12-26 fix in tool/winmain.c).

RemediationAI

Upgrade sqldiff.exe to a SQLite tool build dated on or after 2025-12-26 that incorporates the winmain.c fix (see https://sqlite.org/src/file/tool/winmain.c and the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-155-01.json). Where patching is delayed, avoid invoking sqldiff.exe with externally supplied or untrusted command-line arguments, and where possible run it from wrapper scripts that explicitly use the Unicode CommandLineToArgvW API or pass arguments through a sanitised allowlist; note that this requires changes in every caller of sqldiff and does not protect interactive use. As a stronger compensating control, remove sqldiff.exe from Windows hosts that do not need it, or run it under an unprivileged service account with AppLocker/WDAC rules blocking DLL loads from user-writable paths - the trade-off being that legitimate use of the '-L' shared-extension feature will break.