{"uuid": "a4c3b3bf-41bb-412a-b415-ff084a613a51", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-qj7j-3jp8-8ccv", "type": "seen", "source": "https://gist.github.com/alon710/2046460989ab8e559515c0789ce99248", "content": "# CVE-2025-6965: CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser\n\n&gt; **CVSS Score:** 7.7\n&gt; **Published:** 2025-07-15\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2025-6965\n\n## Summary\nAn integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.\n\n## TL;DR\nInteger truncation in SQLite's aggregate query compiler allows remote code execution or denial of service through out-of-bounds heap reads and writes when processing queries with over 32,767 unique columns.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-197\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 7.7 (High)\n- **EPSS Score**: 0.73495 (99.40th percentile)\n- **Impact**: Memory Corruption / Remote Code Execution\n- **Exploit Status**: PoC Available\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- SQLite Database Engine\n- Apple iOS\n- Apple macOS\n- Apple watchOS\n- Apple tvOS\n- Apple iPadOS\n- Apple visionOS\n- Siemens Ruggedcom Crossbow\n- Siemens SIDIS Prime\n\n## Mitigation\n\n- Upgrade native SQLite binaries to 3.50.2 or newer\n- Filter incoming SQL query strings to reject abnormally large or highly complex column expressions\n- Enable compiler warnings for implicit truncation inside native compilation pipelines\n\n**Remediation Steps:**\n1. Identify all systems executing native SQLite binaries, including packaged wrappers like NuGet SQLitePCLRaw.\n2. Apply the vendor security updates or replace library components with 3.50.2 compliant versions.\n3. Verify runtime checks in non-debug release builds to ensure error checking functions handle oversized query limits safely.\n\n## References\n\n- [SQLite Source Code Trunk Fix Info](https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8)\n- [OSS-Security Mailing List Announcement](http://www.openwall.com/lists/oss-security/2025/09/06/1)\n- [Google Security Research Advisory](https://github.com/google/security-research/security/advisories/GHSA-qj7j-3jp8-8ccv)\n- [GitHub Advisory Database Entry](https://github.com/github/advisory-database/pull/7675)\n- [Siemens SSA-225816 Advisory (Ruggedcom)](https://cert-portal.siemens.com/productcert/html/ssa-225816.html)\n- [Siemens SSA-485750 Advisory (SIDIS Prime)](https://cert-portal.siemens.com/productcert/html/ssa-485750.html)\n- [Apple Security Advisory](http://seclists.org/fulldisclosure/2025/Sep/49)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2025-6965) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T07:59:30.935665Z"}