CVE-2025-29087Integer Overflow or Wraparound in Sqlite

CWE-190Integer Overflow or Wraparound9 documents8 sources
Severity
7.5HIGHNVD
CNA3.2
EPSS
0.2%
top 55.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SqliteGhost Sqlite3
Timeline
PublishedApr 7
Latest updateMay 22

Description

In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5sqlite/sqlite3.44.03.49.1
NVDsqlite/sqlite3.44.03.49.1
Debianghost/sqlite3< 3.46.1-3+1
Ubuntughost/sqlite3< 3.31.1-4ubuntu0.7+2

🔴Vulnerability Details

4
OSV
sqlite3 vulnerabilities2025-05-22
GHSA
GHSA-6j35-rq42-fv6v: Sqlite 32025-04-07
OSV
CVE-2025-29087: In SQLite 32025-04-07
CVEList
CVE-2025-29087: In SQLite 32025-04-07

📋Vendor Advisories

4
Ubuntu
SQLite vulnerabilities2025-05-22
Microsoft
In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled2025-04-08
Red Hat
sqlite: Integer Overflow in SQLite concat_ws Function2025-04-07
Debian
CVE-2025-29087: sqlite3 - In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can ...2025
CVE-2025-29087 — Integer Overflow or Wraparound | cvebase