CVE-2025-3277

An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.

CVSS

No CVSS.

References

Link	Resource
https://sqlite.org/src/info/498e3f1cf57f164f

Configurations

No configuration.

History

15 Apr 2025, 18:39

Type	Values Removed	Values Added
Summary		(es) Se puede activar un desbordamiento de entero en la función `concat_ws()` de SQLite. El entero truncado resultante se utiliza para asignar un búfer. Cuando SQLite escribe la cadena resultante en el búfer, utiliza el tamaño original sin truncar, lo que puede provocar un desbordamiento descontrolado del búfer de montón de aproximadamente 4 GB. Esto puede provocar la ejecución de código arbitrario.

14 Apr 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-14 17:15

Updated : 2025-04-15 18:39

NVD link : CVE-2025-3277

Mitre link : CVE-2025-3277

CVE.ORG link : CVE-2025-3277

JSON object : View

Products Affected

No product.

CWE

CWE-122

Heap-based Buffer Overflow

{"id": "CVE-2025-3277", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-14T17:15:27.297", "references": [{"url": "https://sqlite.org/src/info/498e3f1cf57f164f", "source": "cve-coordination@google.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-122"}]}], "descriptions": [{"lang": "en", "value": "An integer overflow can be triggered in SQLite\u2019s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution."}, {"lang": "es", "value": "Se puede activar un desbordamiento de entero en la funci\u00f3n `concat_ws()` de SQLite. El entero truncado resultante se utiliza para asignar un b\u00fafer. Cuando SQLite escribe la cadena resultante en el b\u00fafer, utiliza el tama\u00f1o original sin truncar, lo que puede provocar un desbordamiento descontrolado del b\u00fafer de mont\u00f3n de aproximadamente 4 GB. Esto puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "lastModified": "2025-04-15T18:39:27.967", "sourceIdentifier": "cve-coordination@google.com"}