Introduction
A single miscalculation in a memory allocation routine can bring down applications that millions rely on. SQLite, the ubiquitous embedded database engine found in browsers, mobile devices, and enterprise software, is at the center of a newly disclosed vulnerability that can crash any application using version 3.50.0 with certain configuration patterns.
SQLite is a C-language library providing a lightweight SQL database engine. It is one of the most widely deployed database engines globally, embedded in everything from smartphones to browsers to IoT devices. Its reliability and small footprint have made it a foundational component in the software industry, powering countless products and services.
Technical Information
CVE-2025-52099 is an integer overflow vulnerability in the setupLookaside function of SQLite 3.50.0. The issue is triggered when the sqlite3_db_config API is called with the SQLITE_DBCONFIG_LOOKASIDE option and attacker-controlled sz (size) and cnt (count) parameters. The vulnerability is rooted in improper type casting during a memory allocation calculation, which can lead to a denial of service.
The relevant code pattern is as follows:
sqlite3_int64 szAlloc = sz * (sqlite3_int64)cnt; ... nSm = (int)((szAlloc - sz * nBig) / LOOKASIDE_SMALL);
In this code, sz * nBig is not cast to sqlite3_int64, so if sz and nBig are large, the multiplication can overflow a 32-bit integer. This leads to an incorrect result for nSm, which is used to divide the lookaside buffer. If the calculation overflows, the application may allocate an incorrect amount of memory, resulting in a crash or denial of service.
The vulnerability is only exploitable if an attacker can control the parameters passed to sqlite3_db_config for lookaside buffer configuration. Applications that do not expose this configuration to untrusted input are not affected.
Affected Systems and Versions
- SQLite 3.50.0 is affected
- Only systems or applications that allow untrusted input to the
sqlite3_db_configAPI withSQLITE_DBCONFIG_LOOKASIDEare vulnerable - No other versions are currently listed as affected in public sources
Vendor Security History
SQLite has experienced a series of integer overflow vulnerabilities in 2025, including:
- CVE-2025-29088 (setupLookaside in 3.49.0)
- CVE-2025-29087 (concat_ws function in 3.44.0 through 3.49.0)
The SQLite project is known for rapid response to impactful vulnerabilities, but fixes have not always been consistently applied across all major versions.
