CVE-2026-11822
Received Received - Intake
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulnCheck

Description
SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-11822
EUVD
EUVD-2026-35794
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sqlite sqlite to 3.53.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11822 is a memory corruption vulnerability in SQLite versions before 3.53.2, specifically in the FTS5 full-text search extension.

The vulnerability arises when attackers supply a crafted database containing malformed FTS5 page data, which triggers an out-of-bounds read in the fts5LeafSeek() function and a heap buffer overflow write in fts5ChunkIterate() due to an integer underflow.

This can be exploited when an FTS5 MATCH query is executed against the malicious database, potentially leading to process crashes, memory exhaustion, or arbitrary code execution.

Impact Analysis

If exploited, this vulnerability can cause serious impacts including process crashes, memory exhaustion, and arbitrary code execution on systems using vulnerable SQLite versions.

This means an attacker could potentially crash applications relying on SQLite or execute malicious code, compromising system stability and security.

Detection Guidance

Detection of this vulnerability involves identifying corrupt database records in the FTS5 extension of SQLite. A new test case named fts5corruptA.test was added to SQLite's test suite to detect such corrupt records.

While no specific network or system commands are provided in the resources, running the SQLite test suite including the fts5corruptA.test can help detect the presence of malformed FTS5 page data that triggers the vulnerability.

Mitigation Strategies

The primary mitigation step is to upgrade SQLite to version 3.53.2 or later, where the vulnerability has been fixed.

Avoid using vulnerable versions of SQLite (versions before 3.53.2) especially when processing databases that use the FTS5 full-text search extension.

If upgrading immediately is not possible, restrict access to databases using FTS5 to trusted users and avoid executing FTS5 MATCH queries on untrusted or potentially malicious databases.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11822. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart