CVE-2022-35737

Vulnerability

Overview

CVE-2022-35737 is an array-bounds overflow vulnerability in SQLite versions 1.0.12 through 3.39.x before 3.39.2. The bug occurs when a string argument exceeding billions of bytes is passed to SQLite's C API printf functions (specifically the %Q, %q, or %w format substitution types) [1]. This flaw was introduced in SQLite 1.0.12 (released in 2000) and fixed in version 3.39.2 (July 2022) [1].

Exploitation and

Attack Surface

The vulnerability is exploitable on 64-bit systems when the library is compiled without stack canaries, allowing for arbitrary code execution; with stack canaries, only denial-of-service is confirmed [1]. Exploitation requires passing large string inputs into the SQLite printf functions, and if the format string includes the '!' special character for unicode scanning, arbitrary code execution becomes possible in the worst case [1]. The official SQLite vulnerability page notes that in practice, exploitation requires the attacker to submit and run arbitrary SQL statements or provide a malicious database file, conditions few real-world applications meet [2].

Impact

On vulnerable versions, an attacker can cause a denial-of-service (crash) in all cases, and on systems compiled without stack canaries, arbitrary code execution is achievable [1]. The bug is notable because compiler optimizations interacting with undefined behavior can make exploitation easier [1].

Mitigation

The vulnerability is fixed in SQLite version 3.39.2 and later [1]. Applications using SQLite should update to this version or newer. For languages with bindings like rusqlite (Rust), using the 'bundled' feature ensures an up-to-date SQLite is compiled in, avoiding the vulnerable version [3].