Vulnerability Spotlight: Remote code execution bug in SQLite

Cory Duplantis of Cisco Talos discovered this vulnerability.

Executive summary

SQLite contains an exploitable use-after-free vulnerability that could allow an attacker to gain the ability to remotely execute code on the victim machine. SQLite is a client-sidedatabase management system contained in a C programming library. SQLite implements the Window Functions feature of SQL, which allows queries over a subset, or “window,” of rows. This specific vulnerability lies in that “window” function.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SQLite to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

SQLite3 window function remote code execution vulnerability (TALOS-2018-0777/CVE-2019-5018)

An exploitable use-after-free vulnerability exists in the window function of SQLite3 3.26.0. A specially crafted SQL command can cause a use-after-free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that versions 3.26.0 and 3.27.0 of SQLite are affected by this vulnerability.