CVE-2025-7709: 
Linux Debian vulnerability analysis and mitigation

An integer overflow vulnerability (CVE-2025-7709) was discovered in SQLite's FTS5 extension. The vulnerability was reported on July 15, 2025, fixed on July 16, 2025, and publicly disclosed on August 15, 2025. The issue affects SQLite versions up to 3.49.1 and was patched in version 3.50.3. The vulnerability exists in the calculation of an array of tombstone pointers, where the size calculation is truncated into a 32-bit integer (GitHub Advisory).

The vulnerability occurs in the fts5SegIterAllocTombstone() function when nByte is calculated as the total size for an array of pointers. While the multiplication done in the SZ_FTS5TOMBSTONEARRAY macro is a 64-bit multiplication, the result gets truncated to 32-bit when the resulting value exceeds 2^32 - 1. The pIter->pSeg->nPgTombstone is a fully attacker-controlled, 32-bit value stored within the metadata tables for an FTS5 table. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L (GitHub Advisory).

When exploited, this vulnerability can lead to a heap-buffer-overflow condition. The overflow can be triggered by either an attacker who can execute arbitrary queries or an attacker that can make an application process a controlled SQLite DB file. This can potentially lead to out-of-bounds read and write operations (GitHub Advisory).

The vulnerability has been fixed in SQLite version 3.50.3. The fix can be found in the SQLite source repository under commit ID 63595b74956a9391. Users are advised to upgrade to the patched version to mitigate this vulnerability (GitHub Advisory).