CVE-2025-3277

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: SQLite (affected versions not specified)

Description: An integer overflow can be triggered in SQLite's concat ws() function, leading to a Heap Buffer overflow of size ~4GB, which can result in arbitrary code execution. This occurs because the resulting, truncated integer is used to allocate a buffer, but SQLite then writes the resulting string to the buffer using the original, untruncated size.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Heap Based Buffer Overflow

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-122CWE-190

Related Identifiers

ALSA-2025:4459

ALSA-2025:7433

ALSA-2025:7517

ALT-PU-2025-9762

BDU:2025-14107

BIT-SQLITE-2025-3277

CESA-2025_4459

CVE-2025-3277

INFSA-2025_4459

INFSA-2025_7433

RHSA-2025:4459

RHSA-2025:7433

RHSA-2025:7517

RHSA-2025_4459

RHSA-2025_7433

SUSE-SU-2025:01455-1

SUSE-SU-2025:01456-1

SUSE-SU-2025:01456-2

SUSE-SU-2025:1455-1

SUSE-SU-2025:1456-1

USN-7528-1

Affected Products

Alt Linux

Almalinux

Centos

Ibm Aix

Linuxmint

Red Hat

Rocky Linux

Sqlite

Suse

Ubuntu

CVE-2025-3277

Weakness Enumeration

Related Identifiers

Affected Products

References · 59