SQLite before 3.53.2 Heap Buffer Overflow via FTS5 fts5ChunkIterate
CVE-2026-11824

8.5HIGH

Key Information:

Vendor: Sqlite
Status: Sqlite
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-11824?

SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

Affected Version(s)

SQLite All platforms where SQLITE_ENABLE_FTS5 is defined 0 < 3.53.2

References

https://sqlite.org/src/info/061febcf41ca

patch

https://sqlite.org/src/info/4a5ad516ea93

patch

https://sqlite.org/releaselog/3_53_2.html

release-notes

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 9, 2026

Credit

Ashish Kunwar (@D0rkerDevil)

CVE-2026-11824 Data

JSON

Sqlite

What is CVE-2026-11824?

Affected Version(s)

References

CVSS V4

Timeline

Credit