CVE-2026-11824
Severity CVSS v4.0:
HIGH
Type:
CWE-122
Heap-based Buffer Overflow
Publication date:
09/06/2026
Last modified:
11/06/2026
Description
SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.
Impact
Base Score 4.0
8.50
Severity 4.0
HIGH
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:* | 3.53.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



