CVE-2025-29087
Ubuntu Security Notice USN-7528-1
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.
It was discovered that SQLite incorrectly handled the concat_ws function. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, and Ubuntu 24.10. It was discovered that SQLite incorrectly handled certain argument values to sqlite3_db_config. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2025-03-11 CVE Reserved
- 2025-04-07 CVE Published
- 2025-04-15 CVE Updated
- 2025-06-14 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-190: Integer Overflow or Wraparound
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://www.sqlite.org/cves.html | ||
| https://gist.github.com/ylwango613/a44a29f1ef074fa783e29f04a0afd62a | ||
| https://sqlite.org/releaselog/3_49_1.html |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| SQLite Search vendor "SQLite" | SQLite Search vendor "SQLite" for product "SQLite" | >= 3.44.0 < 3.49.1 Search vendor "SQLite" for product "SQLite" and version " >= 3.44.0 < 3.49.1" | en |
Affected
| ||||||