PatchSiren cyber security CVE debrief
CVE-2026-11824 SQLite CVE debrief
CVE-2026-11824 is a high-severity vulnerability in SQLite's FTS5 full-text search extension. The vulnerability exists in SQLite versions prior to 3.53.2 and allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata. This metadata specifies a szLeaf value smaller than 4, triggering an integer underflow in fts5ChunkIterate() and leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5. The vulnerability has a CVSS score of 8.5 and is considered HIGH severity.
- Vendor
- SQLite
- Product
- Unknown
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Developers and users of applications that utilize SQLite with the FTS5 full-text search extension should be aware of this vulnerability. This includes but is not limited to developers of mobile, web, and desktop applications that rely on SQLite for data storage and search functionality.
Technical summary
The vulnerability is caused by a heap-based buffer overflow in the FTS5 full-text search extension of SQLite. This occurs when a crafted database with malicious continuation page metadata is supplied, specifying a szLeaf value smaller than 4. This leads to an integer underflow in fts5ChunkIterate() and results in a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.
Defensive priority
High
Recommended defensive actions
- Update SQLite to version 3.53.2 or later to mitigate this vulnerability.
- Ensure that applications compiled with SQLITE_ENABLE_FTS5 are updated to use the patched version of SQLite.
Evidence notes
The vulnerability is confirmed to exist in SQLite versions prior to 3.53.2. The CVE record and NVD detail provide additional information on the vulnerability.
Official resources
-
CVE-2026-11824 CVE record
CVE.org
-
CVE-2026-11824 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE-2026-11824 was published on 2026-06-09T20:16:32.300Z and modified on 2026-06-11T17:12:11.600Z.