CVE-2025-3277

Name	CVE-2025-3277
Description	An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
sqlite3 (PTS)	bullseye	3.34.1-3	fixed
	bullseye (security)	3.34.1-3+deb11u1	fixed
	bookworm	3.40.1-2+deb12u2	fixed
	trixie	3.46.1-7	fixed
	forky, sid	3.46.1-8	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
sqlite3	source	bullseye	(not affected)
sqlite3	source	bookworm	(not affected)
sqlite3	source	(unstable)	3.46.1-3

Notes

[bookworm] - sqlite3 <not-affected> (Vulnerable code not present)
[bullseye] - sqlite3 <not-affected> (Vulnerable code not present)
Fixed by: https://sqlite.org/src/info/498e3f1cf57f164f (v3.49.1)
Duplicate of CVE-2025-29087