CVE-2026-11822

HIGH 7.8

SQLite before 3.53.2 Memory Corruption in FTS5 Extension

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

0th

SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.

CWE	CWE-122
Vendor	sqlite
Product	sqlite
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for sqlite sqlite

Be the first to know when new high vulnerabilities affecting sqlite sqlite are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

SQLite / SQLite

0 < 3.53.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

sqlite.org: https://sqlite.org/src/info/061febcf41ca sqlite.org: https://sqlite.org/src/info/4a5ad516ea93 sqlite.org: https://sqlite.org/releaselog/3_53_2.html vulncheck.com: https://www.vulncheck.com/advisories/sqlite-before-memory-corruption-in-fts5-extension

Credits

Ashish Kunwar (@D0rkerDevil)