CVE-2025-29088 — Integer Overflow or Wraparound in Sqlite

CWE-190 — Integer Overflow or Wraparound CWE-400 — Uncontrolled Resource Consumption10 documents7 sources

Severity

5.5MEDIUMNVD

CNA5.6

EPSS

0.1%

top 80.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sqlite Ghost Sqlite3

Timeline

PublishedApr 10

Latest updateJul 29

Description

In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5sqlite/sqlite3.49.0 — 3.49.1

▶Debianghost/sqlite3< 3.46.1-4+1

▶NVDsqlite/sqlite3.49.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

sqlite3 vulnerabilities↗2025-07-29

▶

OSV

sqlite3 vulnerabilities↗2025-05-22

▶

OSV

CVE-2025-29088: In SQLite 3↗2025-04-10

▶

GHSA

GHSA-mj4r-rr6h-q62g: An issue in sqlite v↗2025-04-10

▶

CVEList

CVE-2025-29088: In SQLite 3↗2025-04-10

▶

📋Vendor Advisories

Ubuntu

SQLite vulnerabilities↗2025-07-29

▶

Ubuntu

SQLite vulnerabilities↗2025-05-22

▶

Red Hat

sqlite: Denial of Service in SQLite↗2025-04-10

▶

Debian

CVE-2025-29088: sqlite3 - In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in...↗2025

▶