CVE-2025-3277Heap-based Buffer Overflow in Sqlite

CWE-122Heap-based Buffer OverflowCWE-190Integer Overflow or Wraparound9 documents8 sources
Severity
6.9MEDIUMNVD
OSV7.5
EPSS
0.7%
top 26.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SqliteGhost Sqlite3
Timeline
PublishedApr 14
Latest updateMay 22

Description

An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Affected Packages4 packages

CVEListV5sqlite/sqlite< 3.49.1
NVDsqlite/sqlite3.44.03.49.1
Debianghost/sqlite3< 3.46.1-3+1
Ubuntughost/sqlite3< 3.31.1-4ubuntu0.7+2

Patches

Patch: sqlite.org

🔴Vulnerability Details

4
OSV
sqlite3 vulnerabilities2025-05-22
OSV
CVE-2025-3277: An integer overflow can be triggered in SQLite’s `concat_ws()` function2025-04-14
CVEList
CVE-2025-3277: An integer overflow can be triggered in SQLite’s `concat_ws()` function2025-04-14
GHSA
GHSA-g2ph-wvc2-ph4v: An integer overflow can be triggered in SQLite’s `concat_ws()` function2025-04-14

📋Vendor Advisories

4
Ubuntu
SQLite vulnerabilities2025-05-22
Red Hat
SQLite: integer overflow in SQLite2025-04-14
Microsoft
An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer,2025-04-08
Debian
CVE-2025-3277: sqlite3 - An integer overflow can be triggered in SQLite’s `concat_ws()` function. The res...2025
CVE-2025-3277 — Heap-based Buffer Overflow in Sqlite | cvebase