CVE-2025-7458 | THREATINT

Description

An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.

PUBLISHED Reserved 2025-07-11 | Published 2025-07-29 | Updated 2025-07-29 | Assigner Google

MEDIUM: 6.9CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-190 Integer Overflow or Wraparound

Product status

Default status

unaffected

3.39.2 (custom) before 3.41.2

affected

Credits

sec.r1nd0@gmail.com reporter

References

sqlite.org/forum/forumpost/16ce2bb7a639e29b

sqlite.org/src/info/12ad822d9b827777 patch

cve.org (CVE-2025-7458)

nvd.nist.gov (CVE-2025-7458)

Download JSON