CVE-2025-61019
Description
An issue in the sqlo_key_part_best component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =7.2.11
Patches
Vulnerability mechanics
Root cause
"A crash in the `sqlo_key_part_best` function during query optimization when processing a crafted SQL statement with nested subqueries and complex expressions."
Attack vector
An attacker sends a crafted SQL statement containing a nested subquery inside a `CASE` expression combined with a division by a constant, a `CHECK` constraint on a `DECIMAL` primary key, and a complex `ORDER BY` clause. The statement triggers a crash in the query optimizer's cost-estimation function `sqlo_key_part_best` [ref_id=1]. No authentication or special privileges are required beyond the ability to execute SQL statements against the database.
Affected code
The crash occurs in `sqlo_key_part_best` (frame #0) called from `dfe_table_cost_ic_1`, `dfe_table_cost`, and `sqlo_try_oby_order` during query optimization. The backtrace shows the fault propagates through `sqlo_layout_1`, `sqlo_layout`, `sqlo_place_exp`, and ultimately `sql_stmt_comp` when compiling the crafted SQL statement.
What the fix does
The advisory does not include a patch or fix commit. The issue report [ref_id=1] only documents the crash and provides a reproducer; no remediation guidance is published. Users must await a vendor fix or apply mitigations such as restricting SQL execution to trusted users.
Preconditions
- authAbility to execute arbitrary SQL statements against the Virtuoso server
- configThe server must be running the affected virtuoso-opensource v7.2.11
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.