CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension
Vulnerability ID: CVE-2026-11822
CVSS Score: 7.8
Published: 2026-06-09
A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.
TL;DR
A vulnerability in SQLite FTS5 allows local attackers to cause memory corruption and arbitrary code execution by querying a maliciously crafted database file.
Technical Details
- CWE ID: CWE-122, CWE-125
- Attack Vector: Local
- CVSS: 7.8 (High)
- EPSS Score: 0.00175
- Exploit Status: None / Proof-of-Concept not publicly available
- KEV Status: Not Listed
Affected Systems
- Node.js
- Echo framework
- Debian Linux
- Ubuntu Linux
- Alma Linux
- Photon OS
- openSUSE
- Chromium-based browsers
-
SQLite: < 3.53.2 (Fixed in:
3.53.2)
Code Analysis
Commit: 061febc
Backport of the trunk fix into the stable branch.
Commit: 4a5ad51
Fix potential buffer overwrite that could occur in fts5 when processing corrupt records.
Mitigation Strategies
- Upgrade SQLite to version 3.53.2 or later
- Compile SQLite with -DSQLITE_ENABLE_FTS5=0 to disable the vulnerable module
- Implement sandbox controls on processes loading SQLite databases
Remediation Steps:
- Identify all applications compiling or dynamically linking SQLite
- Apply the official patch or upgrade to SQLite 3.53.2
- Verify FTS5 compilation flags if upgrade is not possible
References
- Official SQLite Release Log (v3.53.2)
- SQLite Branch 3.53 Patch Commit (061febcf41ca)
- SQLite Trunk Patch Commit (4a5ad516ea93)
- VulnCheck Security Advisory
- Wiz Vulnerability Database Profile
- CVE Record on CVE.org
Read the full report for CVE-2026-11822 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)