SQLite FTS5 integer‑overflow (CVE‑2025‑7709) — update embedded SQLite now

Key update

An integer‑overflow bug in SQLite's FTS5 extension (CVE‑2025‑7709) can truncate a 64‑bit size to 32 bits when allocating a tombstone pointer array, enabling an out‑of‑bounds write if an attacker can supply a crafted FTS5 table or execute attacker‑controlled queries. Upstream fixed the bug (patch committed in July 2025 and included in patched releases), and maintainers have started issuing distro updates; vulnerable builds include some 3.49/3.50 series builds. Apply the upstream patch or install your vendor's updated package (or rebuild any static binaries linking SQLite) as soon as possible. (github.com)

Why it matters

FTS5 is widely used for full‑text search inside many desktop, mobile, and server applications and is often compiled into applications or OS packages. The flaw can be triggered either by processing a maliciously crafted SQLite database file or by running specially crafted queries when FTS5 is enabled, which means applications that accept external DB files or let untrusted users run queries are at risk. For teams this means three practical actions: (1) prioritize installing vendor patches (or upgrade to the patched SQLite release), (2) for statically linked or embedded SQLite builds, rebuild with the upstream fix, and (3) where immediate patching isn't possible, avoid processing untrusted FTS5 databases and audit any feature that imports or indexes external DB files. Distro advisories and trackers list package statuses and fixed versions — confirm your platform's package has been updated before declaring systems remediated. (ubuntu.com)

Source

• Source