CVE-2020-24736: 
SQLite vulnerability analysis and mitigation

Buffer Overflow vulnerability was discovered in SQLite3 version 3.27.1 and earlier versions, which allows a local attacker to cause a denial of service through a crafted script. The vulnerability was initially found in versions supporting window functions, starting from version 3.25.0 (released on 2018-09-15) (SQLite Commit).

The vulnerability is classified as a Classic Buffer Overflow (CWE-120) with a CVSS v3.1 base score of 5.5 (MEDIUM). The attack vector is local (AV:L), with low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), affecting only the local scope (S:U), with no impact on confidentiality (C:N) or integrity (I:N), but high impact on availability (A:H) (NVD Database).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition. The issue specifically involves an attempt to free memory that was not obtained from malloc when processing certain SQL statements involving window functions (SQLite Commit, NetApp Advisory).

The vulnerability was fixed in SQLite version 3.27.2. The fix involves removing all references to a Window object that belongs to an expression in an ORDER BY clause if that expression is converted to an alias of a result-set expression (SQLite Commit).