CVE-2026-50813
Received Received - Intake

SQLite Session Extension Information Disclosure Vulnerability

Vulnerability report for CVE-2026-50813, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: MITRE

Description

An issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive information via the Session Extension changeset concat/changegroup merge path

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
sqlite sqlite to 3.53.1 (exc)
sqlite sqlite From 3.53.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50813 is a buffer overread vulnerability in the SQLite Session Extension that occurs when processing malformed or corrupt changeset blobs. Specifically, functions like sqlite3changeset_concat() or sqlite3changegroup_add() can read beyond the intended buffer boundary during variable-length integer (varint) parsing. This happens due to improper handling of corrupt changesets, leading to unintended memory access.

The vulnerability allows a local attacker to obtain sensitive information by exploiting this out-of-bounds read. The issue was fixed by modifying the session module code to properly handle variable-length integers and prevent out-of-bounds reads.

Impact Analysis

This vulnerability can impact confidentiality and availability. An attacker who can provide a specially crafted changeset can cause SQLite to read memory beyond the intended buffer, potentially exposing adjacent memory bytes (up to four bytes demonstrated). This could lead to disclosure of sensitive information stored in memory.

Additionally, the vulnerability can cause unintended memory access that might affect the stability of the application, impacting availability. However, no code execution or privilege escalation has been demonstrated.

Detection Guidance

This vulnerability involves processing corrupt or specially crafted changesets in the SQLite Session Extension, which can lead to buffer overread. Detection involves identifying usage of vulnerable SQLite versions and monitoring for suspicious changeset operations.

To detect if your system is vulnerable, you can check the SQLite version in use and whether it includes the fix from check-in 869a51ae84df or later.

Suggested commands to check SQLite version:

  • sqlite3 --version

Additionally, monitoring logs or application behavior for errors related to changeset concatenation or corruption (e.g., SQLITE_CORRUPT errors) may help identify exploitation attempts.

There are no specific network detection commands provided in the resources, as this is a local vulnerability triggered by malformed changesets.

Mitigation Strategies

The primary mitigation step is to update SQLite to a version that includes the fix from check-in 869a51ae84df or later, which addresses the buffer overread vulnerability in the session module.

If updating immediately is not possible, avoid processing untrusted or potentially corrupt changesets with the vulnerable SQLite session extension functions such as sqlite3changeset_concat() or sqlite3changegroup_add().

Monitor application logs for SQLITE_CORRUPT errors that may indicate attempts to exploit this vulnerability.

Compliance Impact

This vulnerability allows a local attacker to obtain sensitive information due to an out-of-bounds read in SQLite's session module. Such unauthorized disclosure of sensitive data could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

However, the available information does not explicitly discuss the direct impact on compliance with these standards or any regulatory requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50813. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart