CVE-2025-71316

CRITICAL 9.8

SQLite sqldiff remote code execution via argument injection

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options. Fixed on or around 2025-12-26.

CWE	CWE-176
Vendor	sqlite
Product	sqldiff
Published	Jun 4, 2026
Last Updated	Jun 5, 2026

Stay Ahead of the Next One

Get instant alerts for sqlite sqldiff

Be the first to know when new critical vulnerabilities affecting sqlite sqldiff are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

SQLite / sqldiff

0 < 2025-12-26

References

NVD ↗ CVE.org ↗ EPSS Data ↗

sqlite.org: https://sqlite.org/src/file/tool/winmain.c learn.microsoft.com: https://learn.microsoft.com/en-us/windows/win32/api/processenv/nf-processenv-getcommandlinea#security-remarks i.blackhat.com: https://i.blackhat.com/EU-24/Presentations/EU-24-Tsai-V2-WorstFit-Unveiling-Hidden-Transformers-in-Windows-ANSI.pdf raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-155-01.json cve.org: https://www.cve.org/CVERecord?id=CVE-2025-71316

Credits

Vincent55