An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.

🗓️ 04 Sep 2025 00:14:10Reported by MicrosoftType

mscve

mscve🔗 msrc.microsoft.com👁 2 Views

Integer overflow in SQLite concat_ws truncates size, causing heap buffer overflow and code execution.

Reporter	Title	Published	Views	Family All 104
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to multiple Operator package issues	19 Jun 202517:24	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in SQLite affects IBM watsonx Orchestrate with watsonx Assistant Cartridge	22 Jan 202605:00	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates	30 Jun 202513:27	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM watsonx Orchestrate with watsonx Assistant Cartridge	10 Sep 202520:35	–	ibm
IBM Security Bulletins	Security Bulletin: AIX/VIOS is vulnerable to arbitrary code execution (CVE-2025-3277, CVE-2025-29087) and denial of service (CVE-2025-29088) due to RPM	17 Jul 202516:10	–	ibm
Tenable Nessus	AlmaLinux 8 : nodejs:22 (ALSA-2025:4459)	8 May 202500:00	–	nessus
Tenable Nessus	AlmaLinux 9 : nodejs:22 (ALSA-2025:7433)	21 May 202500:00	–	nessus
Tenable Nessus	Fedora 41 : sqlite (2025-39461417a6)	3 Oct 202500:00	–	nessus
Tenable Nessus	FreeBSD : sqlite -- integer overflow (b945ce3f-6f9b-11f0-bd96-b42e991fc52e)	3 Aug 202500:00	–	nessus
Tenable Nessus	MiracleLinux 9 : nodejs:22 (AXSA:2025-10479:01)	13 Jan 202600:00	–	nessus

04 Sep 2025 00:14Current

7High risk

Vulners AI Score7

CVSS 3.19.8

CVSS 46.9

EPSS0.00609

SSVC

integer overflow sqlite concat_ws size truncation heap buffer overflow arbitrary code execution