CVE-2025-29088 | THREATINT

Description

In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.

PUBLISHED Reserved 2025-03-11 | Published 2025-04-10 | Updated 2025-08-26 | Assigner mitre

MEDIUM: 5.6CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Problem types

CWE-190 Integer Overflow or Wraparound

Product status

Default status

unaffected

3.49.0 (semver) before 3.49.1

affected

References

www.sqlite.org/cves.html

sqlite.org/forum/forumpost/48f365daec

github.com/...ommit/56d2fd008b108109f489339f5fd55212bb50afd4

gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248

sqlite.org/releaselog/3_49_1.html

cve.org (CVE-2025-29088)

nvd.nist.gov (CVE-2025-29088)

Download JSON