CVE-2026-11824

HIGH 7.8

SQLite before 3.53.2 Heap Buffer Overflow via FTS5 fts5ChunkIterate

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

0th

SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

CWE	CWE-122
Vendor	sqlite
Product	sqlite
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for sqlite sqlite

Be the first to know when new high vulnerabilities affecting sqlite sqlite are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

SQLite / SQLite

0 < 3.53.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

sqlite.org: https://sqlite.org/src/info/061febcf41ca sqlite.org: https://sqlite.org/src/info/4a5ad516ea93 sqlite.org: https://sqlite.org/releaselog/3_53_2.html vulncheck.com: https://www.vulncheck.com/advisories/sqlite-before-heap-buffer-overflow-via-fts5-fts5chunkiterate

Credits

Ashish Kunwar (@D0rkerDevil)