CVE-2026-11824
Received Received - Intake
Heap-based Buffer Overflow in SQLite FTS5 Extension

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulnCheck

Description
SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-11824
EUVD
EUVD-2026-35801
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sqlite sqlite to 3.53.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

SQLite versions before 3.53.2 contain a heap-based buffer overflow vulnerability in the FTS5 full-text search extension.

This vulnerability occurs when an attacker supplies a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4.

This causes an integer underflow in the fts5ChunkIterate() function, which leads to an inflated remaining byte count during FTS5 MATCH query processing.

As a result, a heap buffer overflow occurs with attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

Impact Analysis

This vulnerability can allow attackers to cause a crash of the affected application or execute arbitrary code.

Exploitation requires supplying a specially crafted database that triggers the heap buffer overflow during FTS5 MATCH query processing.

The impact is significant for applications compiled with SQLITE_ENABLE_FTS5, potentially leading to denial of service or full compromise of the application.

Detection Guidance

The vulnerability in SQLite's FTS5 extension can be detected by checking for corrupt database records that trigger the heap-based buffer overflow. A new test case named fts5corruptA.test was added to SQLite's test suite to detect such corrupt records.

To detect if your system is vulnerable, you should verify the SQLite version in use and whether it is compiled with SQLITE_ENABLE_FTS5. Versions before 3.53.2 are affected.

While no specific commands for detection are provided in the resources, you can check the SQLite version by running the following command in your environment:

  • sqlite3 --version

Additionally, you can attempt to run the fts5corruptA.test test case from the SQLite test suite if you have access to the source and test environment, which is designed to detect corrupt FTS5 records related to this vulnerability.

Mitigation Strategies

The primary mitigation step is to upgrade SQLite to version 3.53.2 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, avoid processing untrusted or crafted databases that use the FTS5 extension, especially those that might contain malicious continuation page metadata.

Ensure that applications using SQLite are compiled with the latest patches and verify that SQLITE_ENABLE_FTS5 is enabled only if necessary.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11824. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart