Description
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
Published: 2025-07-15
Score: 7.2 High
EPSS: 73.5% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the number of aggregate terms in a query exceeds the number of columns in SQLite, resulting in an integer truncation that corrupts memory. This corruption could cause the application to crash or corrupt data, as the memory layout is overwritten. The weakness is classified as CWE-197.

Affected Systems

All releases of the SQLite engine before version 3.50.2 are affected. The CNA identifies the product simply as SQLite, with the version range covering all pre‑3.50.2 releases. No additional vendor or product variants are listed.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity impact; combined with an EPSS score of 73 %, the likelihood of exploitation is significant. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely trigger the flaw by submitting crafted SQL statements that generate an aggregate query exceeding the column count, which requires the ability to execute queries against the vulnerable SQLite instance, either locally or over the network depending on how the database is accessed.

Generated by OpenCVE AI on June 27, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SQLite engine to version 3.50.2 or later to apply the integer truncation fix.
  • If an immediate upgrade is not possible, validate and constrain user‑supplied SQL to ensure that the number of aggregate terms does not exceed the number of columns, thereby preventing the truncation condition.
  • Apply additional safeguards such as input sanitization or access controls that limit the creation or execution of complex aggregate queries from untrusted sources.

Generated by OpenCVE AI on June 27, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21441 There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
Github GHSA Github GHSA GHSA-2m69-gcr7-jv3q SQLitePCLRaw.lib.e_sqlite3 has a vulnerable dependency on SQLite
Ubuntu USN Ubuntu USN USN-7676-1 SQLite vulnerability
Ubuntu USN Ubuntu USN USN-7679-1 SQLite vulnerabilities
History

Tue, 14 Apr 2026 10:30:00 +0000


Tue, 04 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 19:30:00 +0000


Tue, 22 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00042}


Wed, 16 Jul 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L'}

threat_severity

Important


Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 15 Jul 2025 14:00:00 +0000

Type Values Removed Values Added
Description There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
Title Integer Truncation on SQLite
Weaknesses CWE-197
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/S:N/AU:N/R:U/V:D/RE:L/U:Green'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-04-29T03:55:46.708Z

Reserved: 2025-07-01T09:19:04.750Z

Link: CVE-2025-6965

cve-icon Vulnrichment

Updated: 2025-11-04T21:14:51.528Z

cve-icon NVD

Status : Modified

Published: 2025-07-15T14:15:31.080

Modified: 2026-06-17T10:02:57.673

Link: CVE-2025-6965

cve-icon Redhat

Severity : Important

Publid Date: 2025-07-15T13:44:00Z

Links: CVE-2025-6965 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T14:30:17Z

Weaknesses