Impact
The vulnerability arises when the number of aggregate terms in a query exceeds the number of columns in SQLite, resulting in an integer truncation that corrupts memory. This corruption could cause the application to crash or corrupt data, as the memory layout is overwritten. The weakness is classified as CWE-197.
Affected Systems
All releases of the SQLite engine before version 3.50.2 are affected. The CNA identifies the product simply as SQLite, with the version range covering all pre‑3.50.2 releases. No additional vendor or product variants are listed.
Risk and Exploitability
The CVSS score of 7.2 indicates a high severity impact; combined with an EPSS score of 73 %, the likelihood of exploitation is significant. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely trigger the flaw by submitting crafted SQL statements that generate an aggregate query exceeding the column count, which requires the ability to execute queries against the vulnerable SQLite instance, either locally or over the network depending on how the database is accessed.
OpenCVE Enrichment
EUVD
Github GHSA
Ubuntu USN