Introduction
Two memory corruption bugs in SQLite's FTS5 full text search extension can be chained to leak heap data and then overwrite heap memory, potentially achieving arbitrary code execution when an application merely runs a search query against a crafted database file. With SQLite embedded in every Android device, every iPhone, every Mac, every Windows 10/11 installation, and every major web browser, the number of potentially affected endpoints is measured in the billions.
Technical Information
CVE-2026-11822 describes two distinct memory corruption conditions in SQLite's FTS5 extension, both located in ext/fts5/fts5_index.c. The FTS5 extension is a virtual table module that provides full text search functionality to SQLite applications, and it is widely used in Android applications for native search, in desktop applications, and in server side deployments.
Root Cause: Out of Bounds Read in fts5LeafSeek()
The first bug resides in the fts5LeafSeek() function. When FTS5 reads a leaf page from a database, a loop iterates over page entries using a bound derived from the page data itself. In a crafted database, the attacker controls this loop bound. A malformed FTS5 leaf page can set the bound to a value that exceeds the actual allocated buffer size, causing the function to read memory beyond the buffer boundary. This out of bounds read can leak sensitive heap contents or trigger a segmentation fault, crashing the process.
Root Cause: Heap Buffer Overflow Write in fts5ChunkIterate()
The second bug resides in the fts5ChunkIterate() function. When FTS5 processes continuation pages during index traversal, it computes a write offset or size based on values read from the page data. A crafted continuation page can cause an integer underflow in this computation, resulting in a write that extends past the end of a heap allocated buffer. This is classified as CWE-122 (Heap based Buffer Overflow), a well understood weakness category where overwriting heap memory can corrupt function pointers, vtable entries, or heap metadata structures, enabling redirection of execution to attacker controlled code.
Attack Flow
The exploitation sequence proceeds through four stages:
-
Crafted Database Preparation: The attacker constructs a SQLite database file containing malformed FTS5 page data within the FTS5 index structures. The malformed data includes a manipulated loop bound for the
fts5LeafSeek()bug and a crafted continuation page for thefts5ChunkIterate()bug. -
Database Delivery: The attacker delivers the crafted database file to the target application. This could occur through any mechanism where an application accepts or processes external SQLite databases: file sharing, cloud sync, email attachments, imported backups, or content ingestion pipelines.
-
Query Trigger: The target application opens the database and executes an FTS5 MATCH query against an FTS5 virtual table. This is the standard operation for full text search in SQLite and is commonly triggered by user initiated search actions in applications.
-
Memory Corruption: During index traversal, the corrupted page data triggers the memory corruption. The out of bounds read in
fts5LeafSeek()fires during leaf page processing, and the heap buffer overflow write infts5ChunkIterate()fires during continuation page processing.
Compound Exploitation Potential
The dual bug nature of this vulnerability is particularly significant. The out of bounds read can be leveraged for information leakage to map the heap layout of the target process. This information can then be used to refine the heap buffer overflow write into a reliable code execution primitive, bypassing heap randomization and other mitigations. This combination elevates the practical exploitability beyond what either bug alone would permit.
Fix Details
Two commits address the vulnerability, both modifying ext/fts5/fts5_index.c:
| Commit | Author | Date | Branch |
|---|---|---|---|
| 4a5ad516ea93 | dan | 2026-05-11 11:12:06 | trunk |
| 061febcf41ca | drh | 2026-05-11 12:00:19 | branch-3.53 |
Both commits carry the description "Fix potential buffer overwrite that could occur in fts5 when processing corrupt records." A regression test file fts5corruptA.test was added alongside each fix to verify the correction. The trunk commit was applied first, with the branch-3.53 backport following approximately 48 minutes later.
Affected Systems and Versions
All SQLite versions prior to 3.53.2 are affected. The vulnerability specifically resides in the FTS5 full text search extension code in ext/fts5/fts5_index.c.
The fixed version is SQLite 3.53.2, released on 2026-06-03. It can be verified using:
- SQLITE_SOURCE_ID:
2026-06-03 19:12:13 d6e03d8c777cfa2d35e3b60d8ec3e0187f3e9f99d8e2ee9cac695fd6fcdf1a24 - SHA3-256 of sqlite3.c amalgamation:
44fd61b9f93b4155105cb2d80c957ae6c64a8b5bd6ed51a4992f0dbd438e4e11
Applications are vulnerable if they meet all of the following conditions:
- They embed a SQLite version older than 3.53.2
- They include the FTS5 extension (compiled in or loaded as an extension)
- They open database files from sources that could be influenced by an attacker
- They execute FTS5 MATCH queries against those databases
Given SQLite's deployment footprint, affected categories include mobile applications on Android and iOS, desktop applications including browsers (Firefox, Chrome, Safari), messaging clients, and productivity tools, server side applications using SQLite for caching or search indexing, and IoT or embedded systems with SQLite based storage.
Vendor Security History
The SQLite project has a notable track record of FTS5 and memory corruption related CVEs in recent releases:
| CVE | Fixed Version | Description | Classification |
|---|---|---|---|
| CVE-2025-3277 | 3.49.1 | Heap buffer overflow in concat_ws() via integer overflow | CWE-122 |
| CVE-2025-6965 | 3.50.2 | Integer overflow causing read past end of array | Integer overflow |
| CVE-2025-52099 | 3.50.0 | Integer overflow vulnerability | Integer overflow |
| CVE-2025-7709 | 3.49.1 | Out of bounds memory access from corrupt FTS5 index | OOB read |
| CVE-2026-11822 | 3.53.2 | Heap buffer overflow in FTS5 via corrupt records | CWE-122 |
The recurrence of FTS5 related memory corruption bugs (CVE-2025-7709 and now CVE-2026-11822) suggests that the FTS5 extension's complex index data structures present a persistent attack surface. The SQLite team has historically disputed certain CVE classifications. They labeled the RCE classification for CVE-2021-20227 as misinformation and have noted that several CVEs attributed to SQLite were actually bugs in wrapper libraries (CVE-2023-32697 was a Java JDBC wrapper flaw, CVE-2022-38627 was a PHP SQL injection).
Despite their philosophical stance on CVEs, the team demonstrates commendable fix velocity. For CVE-2026-11822, the underlying bugs were fixed on 2026-05-11 and shipped in release 3.53.2 on 2026-06-03. The gap between fix availability and CVE publication (2026-06-09) creates a window where the security relevance of the update may not be widely communicated, though the patch itself is publicly accessible.
References
- NVD: CVE-2026-11822
- SQLite Release 3.53.2 Changelog
- SQLite Check-in 061febcf41 (branch-3.53 fix)
- SQLite Check-in 4a5ad516ea (trunk fix)
- VulnCheck Advisory: SQLite before 3.53.2 Memory Corruption in FTS5 Extension
- SQLite Vulnerabilities Page
- SQLite: Most Widely Deployed Database Engine
- SQLite FTS5 Extension Documentation
- CWE-122: Heap-based Buffer Overflow
- CISA Known Exploited Vulnerabilities Catalog



