Description
An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.
Published: 2026-03-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

An information disclosure vulnerability exists in the zipfileInflate function of the SQLite zipfile extension for versions 3.51.1 and earlier. By supplying a specially crafted ZIP file, an attacker can read data from the heap memory during decompression, potentially revealing sensitive information. The weakness is categorized as CWE-244 (Information Exposure through Heap) and CWE-908 (Improper Validation of Source Data).

Affected Systems

All installations of SQLite 3.51.1 and older are affected, regardless of vendor or product embedding the library. No vendor specific restrictions are listed. The flaw is present in the default distribution of SQLite. Any application that imports or uses the zipfileInflate routine and processes external ZIP archives is at risk.

Risk and Exploitability

The base CVSS score of 7.5 indicates a high confidentiality impact. The EPSS score is reported as less than 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must supply a crafted ZIP file to the vulnerable function; thus, the attack requires the target application to accept or process untrusted ZIP archives. No public exploit has been documented, and remediation relies on updating the library or restricting ZIP processing.

Generated by OpenCVE AI on March 18, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SQLite library to version v3.51.2 or newer to eliminate the zipfileInflate flaw.
  • If an immediate update is not feasible, restrict or avoid processing untrusted ZIP files in applications using the vulnerable library.
  • Validate ZIP archives against a trusted whitelist and perform integrity checks before decompression.
  • Monitor application logs for anomalous memory access or decompression errors that may indicate exploitation attempts.

Generated by OpenCVE AI on March 18, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-244
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title sqlite: SQLite: Information Disclosure via Crafted ZIP File
Weaknesses CWE-908
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

threat_severity

Low

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Sqlite
Sqlite sqlite
Vendors & Products Sqlite
Sqlite sqlite

Thu, 12 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.
References

Subscriptions

Sqlite Sqlite
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-14T03:35:18.796Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70873

cve-icon Vulnrichment

Updated: 2026-03-14T03:35:12.316Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T19:16:15.933

Modified: 2026-03-16T14:18:02.437

Link: CVE-2025-70873

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-12T00:00:00Z

Links: CVE-2025-70873 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:34Z

Weaknesses