SQLite before version 3.53.2 contains memory corruption flaws in the FTS5 full‑text search extension. An attacker can supply a crafted database with malformed page data that triggers an out‑of‑bounds read in fts5LeafSeek() and a heap buffer overflow write in fts5ChunkIterate(). The overflow occurs when an integer underflow on a continuation page allows an attacker‑controlled loop to iterate past the intended bounds. When an FTS5 MATCH query is executed against this malicious database, the corruption can lead to process crashes, memory exhaustion, or arbitrary code execution. The vulnerability is categorized as CWE‑122 (Classic Buffer Overflow).

All installations of SQLite older than 3.53.2 are affected, regardless of platform or usage context. This includes embedded databases in desktop applications, mobile apps, web servers, and any system component that loads SQLite databases without validating their integrity. The key product is SQLite itself, with the affected range being all releases prior to 3.53.2.

The CVSS score of 8.5 marks this flaw as high‑severity. No EPSS score is available, but the presence of a buffer overflow and potential for arbitrary code execution indicates a significant exploitability risk when an attacker can introduce or control the database file. The vulnerability is not listed in the CISA KEV catalog, yet the escalation potential warrants immediate attention. Attackers can exploit the flaw by delivering a malicious database to an application that uses the FTS5 extension, triggering a MATCH query. The impact could range from denial of service to full system compromise, depending on the privileges of the affected process.