SQLite before 3.53.2 Memory Corruption in FTS5 Extension
CVE-2026-11822

8.5HIGH

Key Information:

Vendor: Sqlite
Status: Sqlite
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-11822?

SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.

Affected Version(s)

SQLite All platforms where SQLITE_ENABLE_FTS5 is defined 0 < 3.53.2

References

https://sqlite.org/src/info/061febcf41ca

patch

https://sqlite.org/src/info/4a5ad516ea93

patch

https://sqlite.org/releaselog/3_53_2.html

release-notes

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 9, 2026

Credit

Ashish Kunwar (@D0rkerDevil)

CVE-2026-11822 Data

JSON

Sqlite

What is CVE-2026-11822?

Affected Version(s)

References

CVSS V4

Timeline

Credit