CVE-2025-3277

An integer overflow can be triggered in SQLites `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
GoogleCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Debian logo
Debian Releases
Debian Product
Codename
sqlite3
bullseye
3.34.1-3
not-affected
bookworm
3.40.1-2+deb12u1
not-affected
bullseye (security)
3.34.1-3+deb11u1
fixed
trixie
3.46.1-4
fixed
sid
3.46.1-6
fixed
Common Weakness Enumeration
References
https://sqlite.org/src/info/498e3f1cf57f164f