CVE-2025-71316

NameCVE-2025-71316
DescriptionSQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options. Fixed on or around 2025-12-26.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sqlite3 (PTS)bullseye3.34.1-3fixed
bullseye (security)3.34.1-3+deb11u1fixed
bookworm3.40.1-2+deb12u2fixed
trixie3.46.1-7+deb13u1fixed
forky3.46.1-9fixed
sid3.53.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sqlite3source(unstable)(not affected)

Notes

- sqlite3 <not-affected> (Windows-specific)

Search for package or bug name: Reporting problems