CVE-2025-61018

An attacker with the ability to execute arbitrary SQL statements against a Virtuoso database can trigger a denial of service by sending the crafted `UPDATE` statement shown in the PoC. The statement uses a correlated subquery with a `UNION` inside an `IN` clause, which causes a null-pointer dereference or similar fault in `sqlo_place_dt_set` during query compilation. No authentication or special privileges beyond basic SQL execution are required.

The crash occurs in the `sqlo_place_dt_set` function (frame #0) of the Virtuoso Open Source 7.2.11 query compiler. The backtrace shows the fault propagates through `sqlo_place_dt`, `sqlo_place_table`, `sqlo_try`, `sqlo_layout_1`, and ultimately `sqlc_update_searched` during compilation of an `UPDATE` statement with a correlated subquery and `UNION`.

The advisory does not include a patch. The vendor has been notified via the GitHub issue, but no fix commit or workaround is published as of this analysis. The root cause appears to be an unhandled edge case in `sqlo_place_dt_set` when processing a correlated subquery that returns a `UNION` result set inside an `IN` clause — the function likely assumes a valid data-type descriptor but receives a null or malformed pointer.