CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3277
https://notcve.org/view.php?id=CVE-2025-3277
14 Apr 2025 — An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution. • https://sqlite.org/src/info/498e3f1cf57f164f • CWE-122: Heap-based Buffer Overflow •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29088
https://notcve.org/view.php?id=CVE-2025-29088
10 Apr 2025 — An issue in sqlite v.3.49.0 allows an attacker to cause a denial of service via the SQLITE_DBCONFIG_LOOKASIDE component In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect. • https://gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248 • CWE-190: Integer Overflow or Wraparound CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29087
https://notcve.org/view.php?id=CVE-2025-29087
07 Apr 2025 — In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory. • https://www.sqlite.org/cves.html • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-46488
https://notcve.org/view.php?id=CVE-2024-46488
25 Sep 2024 — sqlite-vec v0.1.1 was discovered to contain a heap buffer overflow via the npy_token_next function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file. • https://github.com/VulnSphere/LLMVulnSphere/blob/main/VectorDB/sqlite-vec/OOBR_2.md • CWE-122: Heap-based Buffer Overflow •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 1CVE-2024-0232 – Sqlite: use-after-free bug in jsonparseaddnodearray
https://notcve.org/view.php?id=CVE-2024-0232
16 Jan 2024 — A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service. Se identificó un problema de uso después de la liberación del montón en SQLite en la función jsonParseAddNodeArray() en sqlite3.c. Este fallo permite que un atacante local aproveche a una víctima para que pase entradas ... • https://access.redhat.com/security/cve/CVE-2024-0232 • CWE-416: Use After Free •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 1CVE-2023-7104 – SQLite SQLite3 make alltest sqlite3session.c sessionReadRecord heap-based overflow
https://notcve.org/view.php?id=CVE-2023-7104
25 Dec 2023 — A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2023-32697 – Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled
https://notcve.org/view.php?id=CVE-2023-32697
23 May 2023 — SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2. • https://github.com/xerial/sqlite-jdbc/releases/tag/3.41.2.2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 4%CPEs: 1EXPL: 1CVE-2021-31239 – Gentoo Linux Security Advisory 202311-03
https://notcve.org/view.php?id=CVE-2021-31239
09 May 2023 — An issue found in SQLite SQLite3 v.3.35.4 that allows a remote attacker to cause a denial of service via the appendvfs.c function. Multiple vulnerabilities have been discovered in SQLite, the worst of which may lead to code execution. Versions greater than or equal to 3.42.0 are affected. • https://github.com/Tsiming/Vulnerabilities/blob/main/SQLite/CVE-2021-31239 • CWE-125: Out-of-bounds Read •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 2CVE-2022-46908 – Gentoo Linux Security Advisory 202311-03
https://notcve.org/view.php?id=CVE-2022-46908
12 Dec 2022 — SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE. SQLite hasta 3.40.0, cuando depende de --safe para la ejecución de un script CLI que no es de confianza, no implementa correctamente el mecanismo de protección azProhibitedFunctions y, en su lugar, permite funciones UDF como WRITEFILE. It was discovered that SQLite incorrectly handled certain pr... • https://news.ycombinator.com/item?id=33948588 •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-35525 – sqlite: Null pointer derreference in src/select.c
https://notcve.org/view.php?id=CVE-2020-35525
01 Sep 2022 — In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing. En SQlite versión 3.31.1, se encontró una potencial desreferencia de puntero null en el procesamiento de consultas INTERSEC A NULL pointer dereference flaw was found in select.c of SQLite. An out-of-memory error occurs while an early out on the INTERSECT query is processing. This flaw allows an attacker to execute a potential NULL pointer dereference. Red Hat Advanced Cluster Management for Kubernetes 2.4.8 i... • https://security.netapp.com/advisory/ntap-20230706-0007 • CWE-476: NULL Pointer Dereference •