CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-11822

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 1, 2026·5 min read·5 visits

Executive Summary (TL;DR)

A vulnerability in SQLite FTS5 allows local attackers to cause memory corruption and arbitrary code execution by querying a maliciously crafted database file.

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Vulnerability Overview

The SQLite Full-Text Search 5 (FTS5) extension is designed to create virtual tables that provide highly efficient search capabilities over large text documents. In versions prior to 3.53.2, FTS5 contains critical flaws in how it handles corrupt leaf and continuation pages during indexing queries. These deficiencies expose a significant attack surface in applications that load and process user-supplied database files.

The exposure manifests through two primary memory safety bugs classified under CWE-125 (Out-of-bounds Read) and CWE-122 (Heap-based Buffer Overflow). An attacker can trigger these conditions without authentication if the host application exposes SQLite query capabilities to external inputs. Because SQLite is embedded inside countless consumer and enterprise systems, this issue presents widespread systemic risk.

The core vulnerability lies within the index traversal logic of the FTS5 search module, located inside the 'ext/fts5/fts5_index.c' source file. When a query contains a MATCH operator, the engine initiates page lookup and chunk reconstruction functions. If the database file is structurally malformed, these parsing actions fail to respect memory boundaries.

Root Cause Analysis

The vulnerability is divided into two distinct execution failures occurring under corrupt index conditions. The first issue resides in 'fts5LeafSeek()', which traverses terms on a compacted leaf page. The routine lacks boundary validation on term record loop indices. When reading a malformed term header, the engine can be forced to traverse past the end of the page buffer, resulting in an out-of-bounds memory read.

The second issue occurs in 'fts5ChunkIterate()', which is responsible for joining multi-page documents. The routine processes continuation pages by referencing length values stored directly inside the database headers. An attacker can modify these headers to cause a size subtraction mismatch during iterator traversal.

When 'fts5ChunkIterate()' calculates the remaining data length, the subtraction of processed bytes from a corrupted chunk size causes an integer underflow. This underflow yields a highly positive size value when cast to an unsigned integer. The subsequent copy or write operations process data based on this incorrect length, overwriting adjacent heap chunks.

Code Analysis & Patch Inspection

The official patches address these failures by enforcing rigid size verifications on both leaf and continuation pages. In the trunk commit '4a5ad516ea93', safety conditions were introduced to validate chunk limits before data manipulation. These boundaries prevent both the loop overrun and the integer underflow.

// Conceptual representation of the fts5ChunkIterate remediation
int fts5ChunkIterate(
  Fts5Index *p,
  Fts5Structure *pStruct,
  // ...
){
  // Prior to the patch, the loop subtracted bytes without underflow verification
  // The fix introduces rigorous safety constraints
  if( nByte < 0 || nByte > pPage->nSize ){
    return SQLITE_CORRUPT;
  }
  // ...
}

The introduction of 'SQLITE_CORRUPT' propagation ensures that malformed index records fail gracefully. Instead of executing dangerous memory offsets, the FTS5 extension halts query parsing and returns an explicit corruption error. This implementation completely closes the memory leak and overflow vectors.

Exploitation Methodology & Attack Vector

Exploitation of CVE-2026-11822 relies on file-format manipulation tactics to craft a specialized SQLite database. The attacker must modify the raw bytes representing the FTS5 index pages, which are typically stored within internal shadow tables. These tables include the structural and metadata blocks parsed during full-text searches.

An attacker must deliver this file to a target system that allows loading of untrusted databases. Once loaded, the payload is executed conceptually when the application processes a MATCH query. Depending on the memory layout and compiler protections, the heap overflow can cause a denial of service or permit control-flow hijacking.

Impact Assessment

The potential consequences of CVE-2026-11822 span across confidentiality, integrity, and availability. The out-of-bounds read in 'fts5LeafSeek()' allows attackers to extract portions of active process memory. This memory may contain sensitive keys, environmental variables, or database records from unrelated sessions.

The heap buffer overflow in 'fts5ChunkIterate()' introduces write-what-where primitives on the program heap. Attackers can corrupt critical data structures, including function pointers or metadata structures of the heap allocator itself. This capability elevates the risk from simple application crash to arbitrary code execution in the context of the running process.

Due to the widespread integration of SQLite, the actual risk depends largely on application containment. Applications running with elevated privileges on client systems or enterprise servers face direct compromise. However, compiler mitigations such as Address Space Layout Randomization (ASLR) and safe heap allocators may restrict the reliability of remote execution exploits.

Remediation & Defense

The primary remediation path requires upgrading SQLite to version 3.53.2 or later. Developers who link SQLite statically must recompile their binaries with updated source files. System administrators must prioritize patching downstream packages in operating systems that ship with vulnerable SQLite libraries.

If immediate upgrades are unfeasible, compiling SQLite with the FTS5 extension disabled provides a definitive mitigation. This configuration is achieved by setting the compiler flag '-DSQLITE_ENABLE_FTS5=0'. Disabling FTS5 removes the vulnerable code path entirely from the compiled library.

Furthermore, strict entry controls must be enforced on database imports. Applications must reject unverified SQLite files provided by untrusted clients. Implementing restrictive sandboxing strategies around database execution environments additionally minimizes the blast radius of any potential compromise.

Official Patches

SQLiteOfficial SQLite release log detailing version 3.53.2

Fix Analysis (2)

Technical Appendix

CVSS Score
7.8/ 10
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Probability
0.18%
Top 93% most exploited

Affected Systems

Node.jsEcho frameworkDebian LinuxUbuntu LinuxAlma LinuxPhoton OSopenSUSEChromium-based browsers

Affected Versions Detail

Product
Affected Versions
Fixed Version
SQLite
SQLite
< 3.53.23.53.2
AttributeDetail
CWE IDCWE-122, CWE-125
Attack VectorLocal
CVSS7.8 (High)
EPSS Score0.00175
Exploit StatusNone / Proof-of-Concept not publicly available
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1203Exploitation for Client Execution
Execution
CWE-122
Heap-based Buffer Overflow

The software performs operations past the bounds of an allocated buffer or reads memory outside the intended boundaries.

Vulnerability Timeline

SQLite 3.53.0 released
2026-04-09
Vulnerability fixed in SQLite trunk and backported
2026-05-11
SQLite 3.53.2 released incorporating security patches
2026-06-03
CVE-2026-11822 assigned and published
2026-06-09

References & Sources

  • [1]Official SQLite Release Log (v3.53.2)
  • [2]SQLite Branch 3.53 Patch Commit (061febcf41ca)
  • [3]SQLite Trunk Patch Commit (4a5ad516ea93)
  • [4]VulnCheck Security Advisory
  • [5]Wiz Vulnerability Database Profile
  • [6]CVE Record on CVE.org

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 3 hours ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
6 views•8 min read
•about 11 hours ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
7 views•6 min read
•4 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
22 views•6 min read
•4 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
16 views•4 min read
•5 days ago•GHSA-WW5P-J6CJ-6MQQ
5.5

GHSA-WW5P-J6CJ-6MQQ: Credential Exposure in Nezha Dashboard DDNS and Notification APIs

GHSA-WW5P-J6CJ-6MQQ is a technical credential exposure vulnerability in Nezha Dashboard prior to version 2.2.5. The vulnerability allows authenticated administrative users or actors possessing scoped read-only Personal Access Tokens (PATs) to exfiltrate plaintext third-party API credentials, secret keys, and webhook authorization headers due to a lack of data redaction during API object serialization.

Amit Schendel
Amit Schendel
10 views•7 min read
•5 days ago•GHSA-FR4H-3CPH-29XV
7.1

GHSA-FR4H-3CPH-29XV: Path Traversal and Directory Hijacking in pnpm and pacquet Dependency Resolution

GHSA-FR4H-3CPH-29XV is a high-severity path traversal vulnerability in pnpm and its Rust-based port pacquet. The flaw manifests when using the hoisted node-linker configuration, allowing an attacker to manipulate the lockfile to resolve relative traversal sequences or target reserved subdirectories, leading to arbitrary file write or execution hijacking.

Amit Schendel
Amit Schendel
9 views•8 min read