SQLite - CVE-2022-35737

discovery of a 22-year-old vulnerability!

A 22-year-old security flaw in SQLite has just been brought to light! Associated with a high severity, this vulnerability allows an attacker to crash the program or execute code. Let’s do a check in.

As a reminder, SQLite is a library that integrates a database engine accessible via the SQL language, such as MySQL, for example. However, SQLite is much lighter and faster to set up: it is used by certain applications that you install locally on your smartphone, computer, etc… For example, Mozilla Firefox has its own SQLite database! It can also be used on a Web application, if it is little used.

Let’s look at vulnerability…

It’s a modification in the source code made in October 2000 who introduced the security flaw in SQLite! Associated with the reference CVE-2022-35737 and associated with a CVSSv3 score of 7.5 out of 10, this security vulnerability affects all versions of SQLite 1.0.12 to 3.39.1. The good news is that she was corrected on July 21, 2022 when the version 3.39.2 went out !

Discovered by Trail of Bits, this vulnerability is a bug of type “integer overflow which occurs if a character string that is much too large is passed as a parameter. In the case of SQLite, these are printf functions that are affected and the string must contain a specific substitution format (%Q, %q, or %w) to crash the application.

Security researcher Andreas Kellas from Trail of Bits spoke about this vulnerability in a technical report : “CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled“. In any case, the crash of the program is possible if you use a vulnerable version (a denial of service, therefore), while for the execution of code, it depends on the type of compilation.

It is important to emphasize that this vulnerability affects 64-bit systems, because they are the ones who are able to send a string of characters large enough to crash the application, because there is no longer this limit of 4 GB of RAM on the machine. This is clearly stated in the report:When this code was first written, most CPUs had 32-bit registers and 4 GB of addressable memory, so allocating 1 GB strings as input was unrealistic. Now that 64-bit processors are common, allocation of strings of this size is possible and vulnerability conditions are accessible.”

If you use SQLite for your own development, be sure to use version 3.39.2 or higher to fix this vulnerability.


Logiciel – OS,Sécurité,SQLite,

#discovery #22yearold #vulnerability

Leave a Comment

Your email address will not be published. Required fields are marked *