CVE-2026-11822
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
SQLite versions before 3.53.2 contain memory corruption vulnerabilities in the FTS5 full-text search extension that can lead to process crashes, memory exhaustion, or arbitrary code execution. Attackers can exploit malformed FTS5 page data in a crafted database.
Risk Assessment
These vulnerabilities can lead to serious security incidents, including unauthorized access to systems and data. Organizations should be aware of the risks associated with using vulnerable versions of SQLite.
Recommendation
It is recommended to upgrade SQLite to version 3.53.2 or later to mitigate these vulnerabilities. Additionally, databases should be monitored and verified for potential attacks.
Original NVD description (English source)
SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.

