Your submission was sent successfully! Close

CVE-2022-35737

Published: 3 August 2022

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

Notes

AuthorNote
mdeslaur
the wrong commit was previously identified, but didn't match
the vulnerability PoC.
Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
sqlite
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
kinetic Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Ignored
(end of standard support)
sqlite3
Launchpad, Ubuntu, Debian
bionic
Released (3.22.0-1ubuntu0.7)
focal
Released (3.31.1-4ubuntu0.5)
jammy
Released (3.37.2-2ubuntu0.1)
kinetic Not vulnerable
(3.39.3-1)
trusty
Released (3.8.2-1ubuntu2.2+esm3)
upstream Needs triage

xenial
Released (3.11.0-1ubuntu1.5+esm2)
Patches:
upstream: https://github.com/sqlite/sqlite/commit/6eb7354fabede50a3601f251caaec172556a3a82