CVE-2026-11824
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
SQLite before version 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata.
Risk Assessment
This vulnerability can lead to application crashes or arbitrary code execution, posing a serious security threat to systems using SQLite with FTS5 enabled.
Recommendation
It is recommended to update SQLite to version 3.53.2 or later to mitigate this vulnerability and to review and validate databases for malicious metadata.
Original NVD description (English source)
SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

