Security Experts:

Connect with us

Hi, what are you looking for?



Remote Code Execution Vulnerability Impacts SQLite

A use-after-free vulnerability in SQLite could be exploited by an attacker to remotely execute code on a vulnerable machine, Cisco Talos security researchers have discovered. 

A use-after-free vulnerability in SQLite could be exploited by an attacker to remotely execute code on a vulnerable machine, Cisco Talos security researchers have discovered. 

Tracked as CVE-2019-5018 and featuring a CVSS score of 8.1, the vulnerability resides in the window function functionality of Sqlite3 3.26.0 and 3.27.0.

To trigger the flaw, an attacker would need to send a specially crafted SQL command to the victim, which could allow them to execute code remotely. 

The popular SQLite library, a client-side database management system, is widely used in mobile devices, browsers, hardware devices, and user applications, Talos notes

SQLite implements the Window Functions feature of SQL, allowing queries over a subset, or “window,” of rows, and the newly revealed vulnerability was found in the “window” function. 

The security researchers discovered that, after the parsing of a SELECT statement that contains a window function, in certain conditions, the expression-list held by the SELECT object is rewritten and the master window object is used during the process. 

When processing an aggregate function and after it is appended to the expression list, the expression is deleted. During deletion, if the expression is marked as a Window Function, the associated Window object and partition for the Window are deleted as well.

The deleted partition is reused after the rewrite of the expression list, which causes a use-after-free vulnerability that leads to a denial of service. However, if the attacker could control the memory after the free, they can corrupt more data and potentially execute code. 

“Talos tested and confirmed that versions 3.26.0 and 3.27.0 of SQLite are affected by this vulnerability,” the researchers note. 

The security researchers, who published proof-of-concept code, reported the vulnerability to the vendor in early February. An update to patch the issue had been released weeks before the advisory was made public. 

Related: Code Execution Flaw in SQLite Affects Chrome, Other Software

Related: JavaScript Library Introduced XSS Flaw in Google Search

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet