CVE-2025-61023

An attacker can trigger a denial of service by sending a crafted SQL statement containing a `CREATE TABLE` with a nested correlated subquery in a `CHECK` constraint followed by an `INSERT ... GROUP BY CUBE` query. The PoC uses a `SELECT` subquery inside a `CHECK` constraint and a `GROUP BY CUBE` clause with a comparison `'xwvutsr' < 0` to cause a crash in `st_compare` during query compilation. No authentication or special privileges beyond the ability to execute SQL statements are required.

The crash occurs in `st_compare` (frame #0) during query compilation when processing a crafted SQL statement that includes a `GROUP BY CUBE` clause. The backtrace shows the failure propagates through `make_grouping_bitmap_set`, `sqlg_make_sort_nodes`, and `sqlg_group_node` before reaching `st_compare` via `bsearch` and `qsort_r`.

No patch is included in the bundle. The advisory [ref_id=1] documents the crash but does not provide a fix. The vendor would need to add bounds checking or input validation in the `st_compare` function or its callers to handle malformed grouping expressions that cause `bsearch`/`qsort_r` to operate on invalid comparison data.