CVE-2025-52099: 
SQLite vulnerability analysis and mitigation

Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 was discovered and assigned CVE-2025-52099. The vulnerability allows a remote attacker to cause a denial of service via the setupLookaside function. The issue was disclosed on October 24, 2025, and affects SQLite version 3.50.0 (NVD, Debian Tracker).

The vulnerability is classified as an Integer Overflow (CWE-190) that occurs in the setupLookaside function of SQLite. The issue stems from an unchecked multiplication of sz * nBig, which can wrap into a negative value and result in invalid memory writes. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, GitHub POC).

The vulnerability can lead to denial of service conditions when exploited. The impact primarily affects the availability of the system, with no direct impact on confidentiality or integrity. The vulnerability is particularly concerning as it can be triggered remotely without requiring user interaction or special privileges (Snyk, Rapid7).

Several Linux distributions have released fixes for the vulnerability. Debian has fixed the issue in version 3.46.1-7 for trixie and 3.46.1-8 for forky and sid releases. Ubuntu has also released security updates through USN-7528-1 and USN-7679-1 (Debian Tracker).