CVE-2025-7458

An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.

References

Affected packages

Debian:12 / sqlite3

Package

Name: sqlite3
Purl: pkg:deb/debian/sqlite3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.40.1-2

3.40.1-2+deb12u1

3.42.0-1

3.43.0-1

3.43.1-1

3.43.2-1

3.44.0-1

3.44.2-1

3.45.0-1

3.45.1-1

3.45.2-1

3.45.3-1

3.45.3-2~exp1

3.46.0-1

3.46.1-1

3.46.1-2~exp

3.46.1-2

3.46.1-3

3.46.1-4

3.46.1-5

3.46.1-6

3.46.1-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / sqlite3

Package

Name: sqlite3
Purl: pkg:deb/debian/sqlite3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.42.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / sqlite3

Package

Name: sqlite3
Purl: pkg:deb/debian/sqlite3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.42.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/sqlite/sqlite

Affected ranges

Type: GIT
Repo: https://github.com/sqlite/sqlite
Events: Introduced

202b2a7b54ea2dd13a8a5adfd75523abe4dcf17f

Fixed

e671c4fbc057f8b1505655126eaf90640149ced6