HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11824Published Modified CNA VulnCheck

CVE-2026-11824: SQLite before 3.53.2 Heap Buffer Overflow via FTS5 fts5ChunkIterate

SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

Metrics

CVSS v4.0
8.5
Severity
HIGH
Fixed in
3.53.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A heap-based buffer overflow exists in SQLite's FTS5 full-text search extension, affecting all versions before 3.53.2. The vulnerability is triggered locally without requiring authentication, but does require a user or application to open a crafted SQLite database file containing malicious continuation page metadata with a szLeaf value smaller than 4. Successful exploitation causes an integer underflow in fts5ChunkIterate() that inflates a remaining-byte counter, leading to attacker-controlled data being written past the end of a heap buffer, enabling arbitrary code execution or a crash. A patched-image rebuild at SQLite 3.53.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-11824 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle their own SQLite binaries. Any image containing a SQLite version older than 3.53.2 compiled with SQLITE_ENABLE_FTS5 is flagged automatically in the pipeline scan.

Available
Triage

HarborGuard scores this CVE at CVSS 8.5 (HIGH) and surfaces it alongside per-environment compliance policy weighting, so teams with stricter runtime policies see it elevated to the front of their queue. Triage routing is capable of directing findings to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to SQLite 3.53.2 becomes available on HarborGuard once the fix version is confirmed against the affected image layer. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host, or the ability to supply a crafted database file to an application running locally; no network access to the target service is required.

  • AuthenticationNot required

    No credentials or account privileges are required; the attack is delivered entirely through a malformed database file.

  • Victim interactionRequired

    A user or application process must open or process the crafted SQLite database file, making this a social-engineering or supply-chain delivery scenario.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the crafted database is processed; no race conditions, memory-layout dependencies, or special environmental factors are needed.

Blast Radius

  • Reads sensitive data accessible to the vulnerable process, including stored records, session state, and application secrets held in the SQLite database.
  • Modifies or corrupts persisted database rows and application data through the heap overflow write primitive.
  • Crashes the affected application process, causing a denial of service for any workload that opens the malicious database.
  • Executes arbitrary code in the context of the application process if heap layout conditions allow a full control-flow hijack.

How HarborGuard Handles This

Available on HarborGuard: images containing SQLite older than 3.53.2 are matched against this CVE at ingestion time, and a rebuilt image at the patched version is available for any affected image layer. For customers who opt into auto-remediation, the typical flow is a rebuild, a regression-test run, and a PR opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and the finding is routed to the appropriate team inbox for review. Customers who cannot immediately rebuild are advised to apply network-policy controls that restrict which processes can supply untrusted database files to FTS5-enabled applications, and to consider feature-flag gating or build-time removal of SQLITE_ENABLE_FTS5 as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

3.53.2
Patch commits
Affected packages
  • SQLite / SQLite
    < 3.53.2 (from 0)
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References