CVE-2019-5018

Published: 10 May 2019

An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.

Priority

Low

CVSS 3 base score: 8.1

Status

Package Release Status
sqlite3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa)
Released (3.27.2-3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: https://www.sqlite.org/src/vpatch?from=1ae70ad2ffd36c27&to=1e16d3e8fc60d39c