SQLite: numeric truncation memory corruption in SQLite aggregate functions (CVE-2025-6965) #shorts

Summary

CVE-2025-6965 is a critical memory corruption vulnerability in SQLite versions before 3.50.2. Discovered proactively by Google's 'Big Sleep' AI tool, this flaw could be triggered when the number of SQL aggregate terms exceeds the number of available result columns. Several major Linux distributions, including Ubuntu 20.04 and Oracle Linux 9, have released security advisories and patches to address the issue.

Product details

The vulnerability affects SQLite, a widely embedded SQL database engine used in countless applications and operating systems. Versions prior to 3.50.2 are impacted. Ubuntu 20.04 patched the flaw under USN-7679-1. Oracle Linux 9 issued ELSA-2025-11992, and a related Node.js runtime package was updated to include the fixed SQLite library.

Vulnerability type summary

This issue is classified as CWE-197: Numeric Truncation Error. A mismatch between the count of SQL aggregate functions and the defined result columns allows an attacker to overwrite adjacent memory, leading to potential crashes or arbitrary code execution.

Details of the vulnerability

In SQLite versions before 3.50.2, the internal check that ensures the number of aggregate expressions matches the result column count is flawed. By crafting a query with more aggregate terms than columns, an attacker can corrupt the heap or stack data structures. While exploitation requires the ability to execute or submit SQL, anything from a malformed application request to an embedded SQL call could trigger the error. Successful exploitation can cause denial of service or in some contexts lead to execution of arbitrary code in the host process.

Conclusion

To mitigate CVE-2025-6965, upgrade SQLite to version 3.50.2 or later, or apply your platform vendor's patches immediately. Ubuntu 20.04 users should install USN-7679-1 updates, Oracle Linux 9 users should apply ELSA-2025-11992, and any Node.js installations relying on the affected SQLite library must be updated to the patched package. Regularly updating embedded libraries and monitoring vendor security advisories will help prevent similar issues in the future.

Watch the full video on YouTube: CVE-2025-6965

Remediation and exploitation details

This chain involves the following actors

  • Threat Actor: Attempts to exploit the memory corruption vulnerability
  • Application Developer: Integrates SQLite and applies the security update
  • System Administrator: Deploys and manages updated software packages
  • End User: Runs applications that embed SQLite

This following systems are involved

  • SQLite (Lightweight database engine): Processes structured query language statements including aggregate functions
  • Ubuntu 20.04 (Desktop and server operating system): Hosts software that embeds SQLite
  • Oracle Linux 9 (Enterprise-grade operating system): Hosts software that embeds SQLite

Attack entry point

  • SQL Aggregate Query: Execution of a crafted structured query language command containing more aggregate expressions than the number of defined output columns

Remediation actions

Application Developer
Upgrade the embedded SQLite library to version 3.50.2 or later
SQLite
System Administrator
Apply operating system updates on Ubuntu 20.04 and Oracle Linux 9 to obtain the patched SQLite package
Operating system package manager
Application Developer
Rebuild and redeploy applications after updating the SQLite dependency
Build and deployment pipeline
End User
Install the latest application or operating system update provided by the vendor
User device

Exploitation actions

Aggregate term overflow

Threat Actor
Constructs a structured query language statement with a large number of aggregate expressions, for example SELECT SUM(col) AS c1, SUM(col) AS c2, … repeated beyond the column count
SQLite
Examples:
  • SELECT SUM(value) AS c1, SUM(value) AS c2, …, SUM(value) AS cN FROM data_table;

User-supplied query execution

Threat Actor
Submits the crafted query to the application or direct database interface
Application embedding SQLite
Examples:
  • database.execute("<crafted query>");

Memory allocation mismatch

Threat Actor
Triggers the internal routine that allocates memory for a fixed number of aggregate outputs
SQLite memory allocator
Examples:
  • Internal arrays sized for original column count

Buffer overflow

Threat Actor
Causes writes beyond the allocated buffer by processing extra aggregate terms
SQLite execution engine
Examples:
  • Heap overflow corrupting adjacent memory blocks

Denial of service or potential remote code execution

Threat Actor
Leverages the corrupted memory state to trigger a crash or take control of execution flow
Host process running SQLite
Examples:
  • Process termination with segmentation fault
  • Hijacked return address to execute attacker code

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-6965
Description
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
Provider
Google
CWE / problem types
CWE-197: Numeric Truncation Error
Affected Software Versions
SQLite:SQLite:[{'lessThan': '3.50.2', 'status': 'affected', 'version': '0', 'versionType': 'semver'}]
Date Published
2025-07-15T13:44:00.784Z
Last Updated
2025-07-15T13:55:46.280Z