HIGH 7.8

CVE-2026-11824: SQLite FTS5 Heap Buffer Overflow – Patch to 3.53.2

SQLite versions before 3.53.2 contain a critical flaw in their full-text search capability that can be exploited by opening a specially crafted database file. When an application uses the FTS5 feature and processes search queries against the malicious database, attackers can trigger a memory corruption issue that crashes the application or potentially executes code with the privileges of the user running SQLite. The vulnerability requires local access and user interaction (opening a file), but poses significant risk to applications that accept untrusted database files.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11824 is a heap-based buffer overflow in SQLite's FTS5 full-text search extension. The vulnerability stems from improper validation of the szLeaf metadata field in continuation pages within FTS5 indexes. When szLeaf is set to a value smaller than 4, an integer underflow occurs in the fts5ChunkIterate() function during MATCH query processing. This underflow causes the remaining byte counter to become inflated, leading to out-of-bounds heap reads and writes when the function iterates through index chunks. The overflow is triggered during query execution, not during database loading, making it dependent on the specific FTS5 queries executed by the application. The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow).

Business impact

Organizations using SQLite with FTS5 enabled face two primary risks: denial of service through application crashes, and potential arbitrary code execution if heap layout conditions are favorable. This affects any application that embeds SQLite and processes untrusted or user-supplied database files—including document indexing systems, embedded analytics tools, and local search applications. Crashes could disrupt dependent processes or workflows. Code execution risk is particularly acute for multi-user systems or services that accept database uploads from external parties. The local-access requirement limits exposure in server environments but creates substantial risk for desktop, mobile, and end-user tools.

Affected systems

SQLite versions before 3.53.2 are affected. The vulnerability requires that SQLite be compiled with the SQLITE_ENABLE_FTS5 flag, which enables the full-text search extension. This is a common configuration in many distributions and applications. Check your SQLite version using 'sqlite3 --version' and verify whether FTS5 support is enabled. Applications embedding SQLite should verify both their SQLite version and build configuration.

Exploitability

Exploitation requires (1) local access to the target system, (2) user interaction to open or process a malicious database file, and (3) FTS5 to be enabled in the SQLite build. An attacker must craft a database with specific FTS5 metadata corruption; this is non-trivial but well within the capabilities of a motivated adversary. Once a user opens the malicious database and the application executes an FTS5 MATCH query, the overflow is triggered automatically. The barrier to exploitation is moderate due to the requirement for user interaction and local access, but the impact is severe.

Remediation

Upgrade SQLite to version 3.53.2 or later. Verify that your applications and libraries are using the patched version. For systems that cannot be immediately patched, mitigation options include disabling FTS5 at compile time (if rebuilding is feasible), restricting access to database files through file permissions, and avoiding processing of untrusted database files from external sources. Apply the patch across all systems that embed SQLite, including servers, desktops, containers, and packaged applications.

Patch guidance

Consult the official SQLite release notes and your application vendor's advisories for specific patch versions available for your deployment. SQLite typically provides source code patches and may be distributed through OS package managers (apt, yum, brew) with version 3.53.2 or later. Application-level patches depend on your embedded SQLite version—verify with vendors. Test patches in non-production environments before broad deployment, particularly for mission-critical applications relying on SQLite databases.

Detection guidance

Monitor for SQLite version information in your environment via software inventory tools, package managers, or application logs. Enable query logging in SQLite where possible to identify FTS5 MATCH operations being performed. In security operations, watch for application crashes or memory access violations in processes using SQLite, particularly when they coincide with database file processing. Intrusion detection systems may flag anomalous heap corruption patterns if enabled. Since exploitation requires opening a malicious database, logs of file transfers or database imports can provide forensic leads.

Why prioritize this

This vulnerability merits high priority due to its CVSS 7.8 (HIGH) severity and potential for code execution. While it requires local access and user interaction, those constraints are realistic in many organizational contexts: developers opening shared databases, users receiving files via email, or internal tools processing untrusted data. The relative ease of crafting a malicious FTS5 database, combined with the severe impact, justifies accelerated patching. Organizations should prioritize systems that process external or untrusted database files.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects a HIGH severity rating based on: (1) high confidentiality, integrity, and availability impact (code execution and crashes), (2) low attack complexity (once a malicious database is provided), (3) no privilege escalation required, (4) local attack vector, and (5) required user interaction. The score appropriately weights the serious consequences against the constrained attack surface.

Frequently asked questions

Do I need to worry about this if I don't use full-text search (FTS5)?

No. This vulnerability is specific to the FTS5 extension. If your application does not enable SQLITE_ENABLE_FTS5 at compile time, you are not affected. However, many distributions and popular applications enable FTS5 by default, so verify your build configuration.

Can this be exploited remotely by sending a database file?

The initial trigger requires local access and user interaction (opening the file), so it is not a remote vulnerability in the network sense. However, it can be delivered remotely via email or file transfer—the execution requires the recipient to open it. Once opened and queried, exploitation is automatic.

What happens if my application crashes due to this vulnerability?

A crash results in denial of service for the immediate process and any dependent workflows. Whether code execution occurs depends on memory conditions and heap layout. In either case, upgrading to SQLite 3.53.2 or later is the only reliable fix.

How do I verify my SQLite version and FTS5 support?

Run 'sqlite3 --version' at the command line. For FTS5 support, connect to a database and run 'PRAGMA compile_options;' and look for 'ENABLE_FTS5'. For embedded SQLite in applications, check vendor documentation or inspect the application's library paths and version strings.

This analysis is based on publicly available vulnerability data as of the publication date. Security assessments should be conducted by qualified professionals in the context of your specific environment and risk posture. Patch availability, vendor guidance, and exploitation feasibility may evolve; consult official SQLite and application vendor advisories for the most current information. SEC.co makes no warranty regarding the completeness or accuracy of vulnerability intelligence and recommends independent verification of all guidance before implementation. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).