CVE-2025-7709: 
SQLite vulnerability analysis and mitigation

An integer overflow vulnerability (CVE-2025-7709) was discovered in SQLite's FTS5 extension. The vulnerability was reported on July 15, 2025, and fixed on July 16, 2025, with public disclosure on August 15, 2025. The issue occurs when calculating the size of an array of tombstone pointers, which gets truncated into a 32-bit integer, potentially allowing a pointer to partially controlled data to be written out of bounds (Google Research).

The vulnerability exists in the fts5SegIterAllocTombstone() function where nByte is calculated as the total size for an array of pointers. While the multiplication done in the SZ_FTS5TOMBSTONEARRAY macro is a 64-bit multiplication, the result gets truncated to 32-bit when exceeding 2^32 - 1. The vulnerability has been assigned a CVSS 4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L (NVD).

The vulnerability can lead to heap-buffer-overflow conditions when exploited. The impact is considered moderate, as it can be triggered either by an attacker who can execute arbitrary queries or by processing a controlled SQLite DB file. The overflow can result in out-of-bounds write operations, potentially compromising system security (Google Research).

The vulnerability has been fixed in SQLite version 3.50.3. The fix can be found in commit 63595b74956a9391. Various distributions have also released patches, including Ubuntu 24.04 LTS (noble) with version 3.45.1-1ubuntu2.5 and Ubuntu 25.04 (plucky) with version 3.46.1-3ubuntu0.3 (Ubuntu, Snyk).