CVE-2025-29088

Name
CVE-2025-29088
Description
In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://www.sqlite.org/cves.html
https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
https://gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248
cve@mitre.org https://sqlite.org/forum/forumpost/48f365daec
cve@mitre.org https://sqlite.org/releaselog/3_49_1.html

Match rules

CPE URI Source package Min version Max version
sqlite >= 3.49.0 < 3.49.1
cpe:2.3:a:sqlite:sqlite:3.49.0:*:*:*:*:*:*:* sqlite == None == 3.49.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
sqlite edge-main 3.49.0-r0 Celeste <cielesti@protonmail.com> possibly vulnerable
sqlite edge-main 3.49.0-r1 Celeste <cielesti@protonmail.com> possibly vulnerable