{"uuid": "5ba567f5-bad3-4256-90b4-2bfaa68c9ec4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11822", "type": "seen", "source": "https://gist.github.com/alon710/ed8bc6e2d4b9ba716afc36a52ec2f0d1", "content": "# CVE-2026-11822: CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension\n\n&gt; **CVSS Score:** 7.8\n&gt; **Published:** 2026-06-09\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-11822\n\n## Summary\nA memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.\n\n## TL;DR\nA vulnerability in SQLite FTS5 allows local attackers to cause memory corruption and arbitrary code execution by querying a maliciously crafted database file.\n\n## Technical Details\n\n- **CWE ID**: CWE-122, CWE-125\n- **Attack Vector**: Local\n- **CVSS**: 7.8 (High)\n- **EPSS Score**: 0.00175\n- **Exploit Status**: None / Proof-of-Concept not publicly available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js\n- Echo framework\n- Debian Linux\n- Ubuntu Linux\n- Alma Linux\n- Photon OS\n- openSUSE\n- Chromium-based browsers\n- **SQLite**: &lt; 3.53.2 (Fixed in: `3.53.2`)\n\n## Mitigation\n\n- Upgrade SQLite to version 3.53.2 or later\n- Compile SQLite with -DSQLITE_ENABLE_FTS5=0 to disable the vulnerable module\n- Implement sandbox controls on processes loading SQLite databases\n\n**Remediation Steps:**\n1. Identify all applications compiling or dynamically linking SQLite\n2. Apply the official patch or upgrade to SQLite 3.53.2\n3. Verify FTS5 compilation flags if upgrade is not possible\n\n## References\n\n- [Official SQLite Release Log (v3.53.2)](https://sqlite.org/releaselog/3_53_2.html)\n- [SQLite Branch 3.53 Patch Commit (061febcf41ca)](https://sqlite.org/src/info/061febcf41ca)\n- [SQLite Trunk Patch Commit (4a5ad516ea93)](https://sqlite.org/src/info/4a5ad516ea93)\n- [VulnCheck Security Advisory](https://www.vulncheck.com/advisories/sqlite-before-memory-corruption-in-fts5-extension)\n- [Wiz Vulnerability Database Profile](https://www.wiz.io/vulnerability-database/cve/cve-2026-11822)\n- [CVE Record on CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-11822)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-11822) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T07:59:30.709028Z"}