DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-11822: CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

Vulnerability ID: CVE-2026-11822
CVSS Score: 7.8
Published: 2026-06-09

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

TL;DR

A vulnerability in SQLite FTS5 allows local attackers to cause memory corruption and arbitrary code execution by querying a maliciously crafted database file.


Technical Details

  • CWE ID: CWE-122, CWE-125
  • Attack Vector: Local
  • CVSS: 7.8 (High)
  • EPSS Score: 0.00175
  • Exploit Status: None / Proof-of-Concept not publicly available
  • KEV Status: Not Listed

Affected Systems

  • Node.js
  • Echo framework
  • Debian Linux
  • Ubuntu Linux
  • Alma Linux
  • Photon OS
  • openSUSE
  • Chromium-based browsers
  • SQLite: < 3.53.2 (Fixed in: 3.53.2)

Code Analysis

Commit: 061febc

Backport of the trunk fix into the stable branch.

Commit: 4a5ad51

Fix potential buffer overwrite that could occur in fts5 when processing corrupt records.

Mitigation Strategies

  • Upgrade SQLite to version 3.53.2 or later
  • Compile SQLite with -DSQLITE_ENABLE_FTS5=0 to disable the vulnerable module
  • Implement sandbox controls on processes loading SQLite databases

Remediation Steps:

  1. Identify all applications compiling or dynamically linking SQLite
  2. Apply the official patch or upgrade to SQLite 3.53.2
  3. Verify FTS5 compilation flags if upgrade is not possible

References


Read the full report for CVE-2026-11822 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)