CVE-2025-29088

NameCVE-2025-29088
DescriptionIn SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1102670

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sqlite3 (PTS)bullseye3.34.1-3vulnerable
bullseye (security)3.34.1-3+deb11u1vulnerable
bookworm3.40.1-2+deb12u2vulnerable
trixie3.46.1-7fixed
forky, sid3.46.1-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sqlite3source(unstable)3.46.1-41102670

Notes

[bookworm] - sqlite3 <no-dsa> (Minor issue)
[bullseye] - sqlite3 <postponed> (Minor issue)
https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
Search for package or bug name: Reporting problems