ZeroPath at Black Hat USA 2026

SQLite FTS5 Memory Corruption: Quick Look at CVE-2026-11822 and Its Billion-Device Attack Surface

A brief summary of CVE-2026-11822, a high severity heap buffer overflow and out of bounds read in SQLite's FTS5 full text search extension affecting all versions before 3.53.2, with implications for billions of deployed devices.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-09

SQLite FTS5 Memory Corruption: Quick Look at CVE-2026-11822 and Its Billion-Device Attack Surface
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Two memory corruption bugs in SQLite's FTS5 full text search extension can be chained to leak heap data and then overwrite heap memory, potentially achieving arbitrary code execution when an application merely runs a search query against a crafted database file. With SQLite embedded in every Android device, every iPhone, every Mac, every Windows 10/11 installation, and every major web browser, the number of potentially affected endpoints is measured in the billions.

Technical Information

CVE-2026-11822 describes two distinct memory corruption conditions in SQLite's FTS5 extension, both located in ext/fts5/fts5_index.c. The FTS5 extension is a virtual table module that provides full text search functionality to SQLite applications, and it is widely used in Android applications for native search, in desktop applications, and in server side deployments.

Root Cause: Out of Bounds Read in fts5LeafSeek()

The first bug resides in the fts5LeafSeek() function. When FTS5 reads a leaf page from a database, a loop iterates over page entries using a bound derived from the page data itself. In a crafted database, the attacker controls this loop bound. A malformed FTS5 leaf page can set the bound to a value that exceeds the actual allocated buffer size, causing the function to read memory beyond the buffer boundary. This out of bounds read can leak sensitive heap contents or trigger a segmentation fault, crashing the process.

Root Cause: Heap Buffer Overflow Write in fts5ChunkIterate()

The second bug resides in the fts5ChunkIterate() function. When FTS5 processes continuation pages during index traversal, it computes a write offset or size based on values read from the page data. A crafted continuation page can cause an integer underflow in this computation, resulting in a write that extends past the end of a heap allocated buffer. This is classified as CWE-122 (Heap based Buffer Overflow), a well understood weakness category where overwriting heap memory can corrupt function pointers, vtable entries, or heap metadata structures, enabling redirection of execution to attacker controlled code.

Attack Flow

The exploitation sequence proceeds through four stages:

  1. Crafted Database Preparation: The attacker constructs a SQLite database file containing malformed FTS5 page data within the FTS5 index structures. The malformed data includes a manipulated loop bound for the fts5LeafSeek() bug and a crafted continuation page for the fts5ChunkIterate() bug.

  2. Database Delivery: The attacker delivers the crafted database file to the target application. This could occur through any mechanism where an application accepts or processes external SQLite databases: file sharing, cloud sync, email attachments, imported backups, or content ingestion pipelines.

  3. Query Trigger: The target application opens the database and executes an FTS5 MATCH query against an FTS5 virtual table. This is the standard operation for full text search in SQLite and is commonly triggered by user initiated search actions in applications.

  4. Memory Corruption: During index traversal, the corrupted page data triggers the memory corruption. The out of bounds read in fts5LeafSeek() fires during leaf page processing, and the heap buffer overflow write in fts5ChunkIterate() fires during continuation page processing.

Compound Exploitation Potential

The dual bug nature of this vulnerability is particularly significant. The out of bounds read can be leveraged for information leakage to map the heap layout of the target process. This information can then be used to refine the heap buffer overflow write into a reliable code execution primitive, bypassing heap randomization and other mitigations. This combination elevates the practical exploitability beyond what either bug alone would permit.

Fix Details

Two commits address the vulnerability, both modifying ext/fts5/fts5_index.c:

CommitAuthorDateBranch
4a5ad516ea93dan2026-05-11 11:12:06trunk
061febcf41cadrh2026-05-11 12:00:19branch-3.53

Both commits carry the description "Fix potential buffer overwrite that could occur in fts5 when processing corrupt records." A regression test file fts5corruptA.test was added alongside each fix to verify the correction. The trunk commit was applied first, with the branch-3.53 backport following approximately 48 minutes later.

Affected Systems and Versions

All SQLite versions prior to 3.53.2 are affected. The vulnerability specifically resides in the FTS5 full text search extension code in ext/fts5/fts5_index.c.

The fixed version is SQLite 3.53.2, released on 2026-06-03. It can be verified using:

  • SQLITE_SOURCE_ID: 2026-06-03 19:12:13 d6e03d8c777cfa2d35e3b60d8ec3e0187f3e9f99d8e2ee9cac695fd6fcdf1a24
  • SHA3-256 of sqlite3.c amalgamation: 44fd61b9f93b4155105cb2d80c957ae6c64a8b5bd6ed51a4992f0dbd438e4e11

Applications are vulnerable if they meet all of the following conditions:

  • They embed a SQLite version older than 3.53.2
  • They include the FTS5 extension (compiled in or loaded as an extension)
  • They open database files from sources that could be influenced by an attacker
  • They execute FTS5 MATCH queries against those databases

Given SQLite's deployment footprint, affected categories include mobile applications on Android and iOS, desktop applications including browsers (Firefox, Chrome, Safari), messaging clients, and productivity tools, server side applications using SQLite for caching or search indexing, and IoT or embedded systems with SQLite based storage.

Vendor Security History

The SQLite project has a notable track record of FTS5 and memory corruption related CVEs in recent releases:

CVEFixed VersionDescriptionClassification
CVE-2025-32773.49.1Heap buffer overflow in concat_ws() via integer overflowCWE-122
CVE-2025-69653.50.2Integer overflow causing read past end of arrayInteger overflow
CVE-2025-520993.50.0Integer overflow vulnerabilityInteger overflow
CVE-2025-77093.49.1Out of bounds memory access from corrupt FTS5 indexOOB read
CVE-2026-118223.53.2Heap buffer overflow in FTS5 via corrupt recordsCWE-122

The recurrence of FTS5 related memory corruption bugs (CVE-2025-7709 and now CVE-2026-11822) suggests that the FTS5 extension's complex index data structures present a persistent attack surface. The SQLite team has historically disputed certain CVE classifications. They labeled the RCE classification for CVE-2021-20227 as misinformation and have noted that several CVEs attributed to SQLite were actually bugs in wrapper libraries (CVE-2023-32697 was a Java JDBC wrapper flaw, CVE-2022-38627 was a PHP SQL injection).

Despite their philosophical stance on CVEs, the team demonstrates commendable fix velocity. For CVE-2026-11822, the underlying bugs were fixed on 2026-05-11 and shipped in release 3.53.2 on 2026-06-03. The gap between fix availability and CVE publication (2026-06-09) creates a window where the security relevance of the update may not be widely communicated, though the patch itself is publicly accessible.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization