CVE Catalog

CVE-2026-11824

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile - higher than 2% of all known CVEs

Summary

SQLite before version 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata.

Risk Assessment

This vulnerability can lead to application crashes or arbitrary code execution, posing a serious security threat to systems using SQLite with FTS5 enabled.

Recommendation

It is recommended to update SQLite to version 3.53.2 or later to mitigate this vulnerability and to review and validate databases for malicious metadata.

Original NVD description (English source)

SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS