https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g
was published on August 15, and states:
Summary
-------
An integer overflow exists in the FTS5 extension. It occurs when the size of an
array of tombstone pointers is calculated and truncated into a 32-bit integer.
A pointer to partially controlled data can then be written out of bounds.
Severity
--------
Moderate - The overflow can be triggered by either an attacker who is able to
execute arbitrary queries or an attacker that can make an application process
a controlled SQLite DB file.
Proof of Concept
----------------
echo "SELECT * FROM articles WHERE articles MATCH 'whatever'" | ./sqlite3
/tmp/poc.sql
=================================================================
==3811642==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x5030000012f0 at pc 0x55eafca6599b bp 0x7ffdd1591570 sp 0x7ffdd1591568
READ of size 8 at 0x5030000012f0 thread T0
Fix can be found here: https://sqlite.org/src/info/63595b74956a9391
Timeline
--------
Date reported: 07/15/2025
Date fixed: 07/16/2025
Date disclosed: 08/15/2025
See the above URL for Further Analysis.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
