CVE-2026-11824
Description
SQLite FTS5 extension has a heap buffer overflow vulnerability allowing code execution via crafted database files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQLite FTS5 extension has a heap buffer overflow vulnerability allowing code execution via crafted database files.
Vulnerability
SQLite versions prior to 3.53.2 contain a heap-based buffer overflow vulnerability within the FTS5 full-text search extension. This vulnerability is triggered when processing a crafted database with malicious continuation page metadata, specifically when the szLeaf value is less than 4. This leads to an integer underflow in fts5ChunkIterate(), inflating the remaining byte count during FTS5 MATCH query processing. The vulnerability requires applications to be compiled with SQLITE_ENABLE_FTS5 [3].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted database file to an application that uses the SQLite FTS5 extension. The attacker needs to ensure the database contains malicious continuation page metadata with a szLeaf value smaller than 4. When an FTS5 MATCH query is processed on this database, the integer underflow in fts5ChunkIterate() will occur, leading to the buffer overflow [3]. No specific network position, authentication, or user interaction is mentioned as required in the available references.
Impact
Successful exploitation of this vulnerability can lead to a heap buffer overflow of attacker-controlled data. This could result in a denial-of-service condition (crash) or allow an attacker to execute arbitrary code within the context of the affected application [3]. The scope of the compromise depends on the privileges of the application running SQLite.
Mitigation
The vulnerability is fixed in SQLite version 3.53.2, released on 2026-06-03 [1]. Users are advised to upgrade to this version or later. No workarounds are mentioned in the available references. SQLite versions prior to 3.53.2 are affected [3].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"An integer underflow in FTS5 MATCH query processing leads to a heap buffer overflow."
Attack vector
Attackers can trigger this vulnerability by supplying a crafted database with malicious continuation page metadata. Specifically, specifying a `szLeaf` value smaller than 4 causes an integer underflow in `fts5ChunkIterate()`. This leads to an inflated remaining byte count during FTS5 MATCH query processing, resulting in a heap buffer overflow of attacker-controlled data [ref_id=1].
Affected code
The vulnerability resides in the FTS5 full-text search extension, specifically within the `fts5ChunkIterate()` function in `ext/fts5/fts5_index.c` [ref_id=1, ref_id=2]. The fix involves changes to this file and the addition of a new test case, `fts5corruptA.test`.
What the fix does
The patch addresses a potential buffer overwrite within the FTS5 extension when processing corrupt records [ref_id=1, ref_id=2]. The fix is implemented in `ext/fts5/fts5_index.c` and aims to prevent the overflow by correctly handling the metadata associated with continuation pages during FTS5 MATCH query processing.
Preconditions
- inputThe application must be compiled with SQLITE_ENABLE_FTS5.
- inputThe attacker must be able to supply a crafted database file with malicious continuation page metadata.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.