CVE-2026-11822

Public on 2026-06-09
Modified on 2026-06-17
Description
SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2023 nodejs22 2026-07-07 ALAS2023-2026-1921 Fixed
Amazon Linux 2023 nodejs24 2026-07-07 ALAS2023-2026-1920 Fixed
Amazon Linux 2 - Core perl-DBD-SQLite Not Affected
Amazon Linux 2023 perl-DBD-SQLite Not Affected
Amazon Linux 2023 perl-DateTime-Format-SQLite Not Affected
Amazon Linux 2 - Core rust Not Affected
Amazon Linux 2023 rust Not Affected
Amazon Linux 2023 rust-cargo-c Not Affected
Amazon Linux 2 - Core sqlite Not Affected
Amazon Linux 2023 sqlite 2026-07-07 ALAS2023-2026-1903 Fixed
Amazon Linux 2 - Core tcl Not Affected
Amazon Linux 2023 tcl Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H