CVE-2026-11824

Severity CVSS v4.0:
HIGH
Type:
CWE-122 Heap-based Buffer Overflow
Publication date:
09/06/2026
Last modified:
11/06/2026

Description

SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:* 3.53.2 (excluding)