CVE-2025-29088

Ubuntu Security Notice USN-7528-1

Severity Score

5.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

An issue in sqlite v.3.49.0 allows an attacker to cause a denial of service via the SQLITE_DBCONFIG_LOOKASIDE component

In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.

It was discovered that SQLite incorrectly handled the concat_ws function. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, and Ubuntu 24.10. It was discovered that SQLite incorrectly handled certain argument values to sqlite3_db_config. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-03-11 CVE Reserved
2025-04-10 CVE Published
2025-04-14 CVE Updated
2025-06-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-190: Integer Overflow or Wraparound
CWE-400: Uncontrolled Resource Consumption

CAPEC

References (5)

URL	Tag	Source
https://gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248
https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
https://www.sqlite.org/cves.html
https://sqlite.org/forum/forumpost/48f365daec
https://sqlite.org/releaselog/3_49_1.html

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
SQLite Search vendor "SQLite"		SQLite Search vendor "SQLite" for product "SQLite"				>= 3.49.0 < 3.49.1 Search vendor "SQLite" for product "SQLite" and version " >= 3.49.0 < 3.49.1"		en		Affected