PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11822 SQLite CVE debrief

CVE-2026-11822 is a high-severity vulnerability in SQLite's FTS5 full-text search extension. The vulnerability allows attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. This can be achieved through an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page, exploitable when an FTS5 MATCH query is executed against the malicious database.

Vendor
SQLite
Product
Unknown
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-11
Advisory published
2026-06-09
Advisory updated
2026-06-11

Who should care

Users of SQLite versions before 3.53.2 who utilize the FTS5 full-text search extension should be aware of this vulnerability. Successful exploitation could lead to process crashes, memory exhaustion, or arbitrary code execution.

Technical summary

The vulnerability exists in the FTS5 full-text search extension of SQLite versions before 3.53.2. It is caused by memory corruption issues that can be triggered by supplying a crafted database with malformed FTS5 page data. The vulnerability can be exploited through two primary methods: an out-of-bounds read in fts5LeafSeek() and a heap buffer overflow write in fts5ChunkIterate(). These issues can be triggered when an FTS5 MATCH query is executed against a maliciously crafted database.

Defensive priority

High

Recommended defensive actions

  • Upgrade to SQLite version 3.53.2 or later to mitigate this vulnerability.
  • Avoid executing FTS5 MATCH queries against untrusted databases.
  • Ensure that databases are validated and sanitized before use.

Evidence notes

The vulnerability is confirmed by the SQLite release notes and issue tracking information. The CVSS score is 8.5, indicating a high severity.

Official resources

public