CVE-2025-29088

MEDIUM EPSS 6.5%
Published Apr 10, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 10, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
6.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-190 Integer Overflow or Wraparound Numeric Error

Affected Products 1

VendorProductVersionRange
sqlitesqlite3.49.0any

References 5

  • gist.github.com https://gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248
    Third Party Advisory
  • github.com https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
    Patch
  • sqlite.org https://sqlite.org/forum/forumpost/48f365daec
    Third Party Advisory
  • sqlite.org https://sqlite.org/releaselog/3_49_1.html
    Release Notes
  • sqlite.org https://www.sqlite.org/cves.html
    Vendor Advisory

Remediation

  • github.com https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
    Patch