CVE-2022-35737: 
vulnerability analysis and mitigation

SQLite versions 1.0.12 through 3.39.x before 3.39.2 contain a vulnerability (CVE-2022-35737) that allows an array-bounds overflow when billions of bytes are used in a string argument to a C API. The vulnerability was discovered in July 2022 and was fixed in SQLite version 3.39.2 released on July 21, 2022. This vulnerability affects applications that use the SQLite library API (SQLite CVEs, Trail of Bits).

The vulnerability occurs in SQLite's implementation of the printf functions when handling large string inputs with specific format substitution types (%Q, %q, or %w). The bug manifests when the format string contains these substitution types and is particularly exploitable when the format string includes the '!' special character for unicode character scanning. The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, the vulnerability can lead to array-bounds overflow, potentially resulting in denial of service (DoS) in all cases. Under specific conditions, particularly when the application is compiled without stack canaries, arbitrary code execution is possible. The vulnerability is exploitable on 64-bit systems, and the exploitability depends on how the program is compiled (Trail of Bits).

The primary mitigation is to upgrade to SQLite version 3.39.2 or later, which contains the fix for this vulnerability. The fix was released on July 21, 2022, and addresses the array-bounds overflow issue (SQLite Release). No alternative workarounds are documented for this vulnerability.