HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11822Published Modified CNA VulnCheck

CVE-2026-11822: SQLite before 3.53.2 Memory Corruption in FTS5 Extension

SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.

Metrics

CVSS v4.0
8.5
Severity
HIGH
Fixed in
3.53.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Memory corruption vulnerabilities in the FTS5 full-text search extension of SQLite before 3.53.2 allow an attacker to trigger an out-of-bounds read and a heap buffer overflow write by supplying a crafted database file with malformed FTS5 page data. The attack is local and requires no authentication, but a user or process must execute an FTS5 MATCH query against the attacker-controlled database. Successful exploitation enables arbitrary code execution, process crashes, or memory exhaustion within the affected process. A patched-image rebuild at SQLite 3.53.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11822 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle SQLite. Any image containing SQLite below 3.53.2 is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

Triage is available with the CVSS v4.0 score of 8.5 (HIGH) applied to each matched image, weighted against the per-environment compliance policy configured by the customer org. Findings are routed to the appropriate team inbox based on image ownership and policy severity thresholds.

Available
Patch

A patched-image rebuild at SQLite 3.53.2 is available on HarborGuard for any environment where a matching image is detected. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationNot required

    No credentials or account are needed; the attack is triggered by supplying a crafted database file to any process that opens it.

  • Victim interactionRequired

    A user or automated process must execute an FTS5 MATCH query against the attacker-supplied database, making some degree of social engineering or file-planting necessary.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the malicious database is in place; no race conditions or specific memory layout requirements are noted.

Blast Radius

  • Arbitrary code execution is achievable within the process that opens the malicious database, giving the attacker control over that process's execution context.
  • The heap buffer overflow write and out-of-bounds read allow the attacker to read and overwrite process memory, exposing in-memory secrets such as session tokens or cached query results.
  • The affected process can be crashed outright, disrupting any service or application that depends on SQLite for storage.
  • Memory exhaustion can be induced, degrading or halting the host application without a clean crash signal.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11822 fires within minutes of image ingestion for any image containing SQLite below 3.53.2, covering both pulled base images and custom-built images that vendor SQLite directly. For customers who opt into auto-remediation, HarborGuard rebuilds the image at SQLite 3.53.2, runs a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image at 3.53.2 is staged and the finding is routed to the responsible team with CVSS score, affected layer, and remediation diff attached. As an interim compensating control, restricting which processes and users can supply arbitrary database files to SQLite-backed services limits the practical exploitability of this vulnerability until a rebuild is promoted to production.

See how HarborGuard automates this

Fix available

3.53.2
Patch commits
Affected packages
  • SQLite / SQLite
    < 3.53.2 (from 0)
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References