Skip to main content

SQLite CVE-2026-11824

| EUVD-2026-35801 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-09 VulnCheck GHSA-8g48-4wfm-7247
Heap Overflow Buffer Overflow RCE Sqlite
8.5
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 09, 2026 - 20:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 09, 2026 - 20:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 09, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jun 09, 2026 - 20:22 NVD
7.8 (HIGH) 8.5 (HIGH)
Analysis Generated
Jun 09, 2026 - 20:09 vuln.today

DescriptionCVE.org

SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

AnalysisAI

Heap-based buffer overflow in SQLite's FTS5 full-text search extension (versions before 3.53.2) allows attackers to crash the process or execute arbitrary code by supplying a malicious database file that triggers an integer underflow in fts5ChunkIterate() during MATCH query processing. The flaw affects any application compiled with SQLITE_ENABLE_FTS5 that opens an attacker-supplied database and runs an FTS5 query against it; no public exploit identified at time of analysis, though VulnCheck has published an advisory.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft malicious SQLite DB with bad szLeaf
Delivery
Deliver file via email or sync
Exploit
Victim app opens database
Install
FTS5 MATCH query invokes fts5ChunkIterate()
C2
Integer underflow inflates byte count
Execute
Heap overflow with attacker bytes
Impact
Arbitrary code execution in app context
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the target application to be linked against SQLite older than 3.53.2 compiled with SQLITE_ENABLE_FTS5, (2) the attacker to deliver a crafted SQLite database file whose FTS5 continuation page metadata sets szLeaf to a value less than 4, and (3) the victim application to execute an FTS5 MATCH query against that database - corresponding to the CVSS UI:P (passive user interaction) requirement. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 vector AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H scores 8.5 and reflects the realistic threat model: the attacker does not need credentials but does need the victim to interact with a malicious database (UI:P), and the attack vector is Local because SQLite consumes a file rather than a network stream. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious SQLite database whose FTS5 segment contains a continuation page with szLeaf set to a value less than 4, then delivers it to a victim via email attachment, file-sharing link, app backup import, or sync service. When the victim's application opens the database and executes any FTS5 MATCH query (often triggered automatically by search UI), fts5ChunkIterate() underflows its remaining-bytes counter and overruns the heap with attacker-controlled bytes, yielding a process crash or arbitrary code execution in the application's context.
Remediation Upgrade SQLite to version 3.53.2 or later, which contains the upstream fixes tracked at https://sqlite.org/src/info/061febcf41ca and https://sqlite.org/src/info/4a5ad516ea93; consult https://sqlite.org/releaselog/3_53_2.html for full release notes. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all internal systems and applications for SQLite usage with FTS5 enabled (SQLITE_ENABLE_FTS5 compile flag). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11822 HIGH
8.5 Jun 09

Memory corruption in SQLite versions before 3.53.2 enables attackers to crash processes, exhaust memory, or potentially

Share

CVE-2026-11824 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy