Hi Laszlo,

The following vulnerabilities were published for sqlite3.

Can you help assess them please, info on two CVEs below hich carry the
same fixes references in the database:

CVE-2026-11822[0]:
| SQLite before 3.53.2 contains memory corruption vulnerabilities in
| the FTS5 full-text search extension that allow attackers to cause
| process crashes, memory exhaustion, or arbitrary code execution by
| supplying a crafted database with malformed FTS5 page data.
| Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an
| attacker-controlled loop bound and a heap buffer overflow write in
| fts5ChunkIterate() through a crafted continuation page causing an
| integer underflow, exploitable when an FTS5 MATCH query is executed
| against the malicious database.


CVE-2026-11824[1]:
| SQLite before 3.53.2 contains a heap-based buffer overflow
| vulnerability in the FTS5 full-text search extension that allows
| attackers to cause a crash or execute arbitrary code by supplying a
| crafted database with malicious continuation page metadata
| specifying a szLeaf value smaller than 4. Attackers can trigger an
| integer underflow in fts5ChunkIterate() causing an inflated
| remaining byte count during FTS5 MATCH query processing, leading to
| a heap buffer overflow of attacker-controlled data in applications
| compiled with SQLITE_ENABLE_FTS5.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-11822
https://www.cve.org/CVERecord?id=CVE-2026-11822
[1] https://security-tracker.debian.org/tracker/CVE-2026-11824
https://www.cve.org/CVERecord?id=CVE-2026-11824
[2] https://sqlite.org/src/info/061febcf41ca
[3] https://sqlite.org/src/info/4a5ad516ea93

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1139960@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated sqlite3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 13 Jun 2026 21:08:12 +0200
Source: sqlite3
Architecture: source
Version: 3.53.2-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1139960
Changes:
 sqlite3 (3.53.2-1) unstable; urgency=high
 .
   * New upstream release (closes: #1139960):
     - fixes CVE-2026-11822: memory corruption vulnerabilities in the FTS5
       full-text search extension,
     - fixes CVE-2026-11824: heap-based buffer overflow vulnerability in the
       FTS5 full-text search extension.
   * Remove sqlite3JsonTableFunctions@Base, sqlite3TriggerStepSrc@Base and
     sqlite3VdbeCheckFk@Base symbols as no longer part of the library.
   * Update symbols file.
   * Update watch file.
Checksums-Sha1:
 474fd9cf4d7c3c8e6305965021cf10cb8a4cf48c 2641 sqlite3_3.53.2-1.dsc
 2a88be57df377a42943de7eb6aa2b92e49dbf628 6328772 sqlite3_3.53.2.orig-www.tar.xz
 6a92ed937f019c60f4819aa5770d9ae56c0f3883 8640640 sqlite3_3.53.2.orig.tar.xz
 f0c641f9d6c35810430398af0167af5e463c343f 30948 sqlite3_3.53.2-1.debian.tar.xz
Checksums-Sha256:
 295853433f8d85267b0a8a085b52d0291b777f30843b071093ccb63841280d1c 2641 sqlite3_3.53.2-1.dsc
 11dd07d00afa97d4e6f8030b1fabc6f60879df6b19791d2972159605b9344ad2 6328772 sqlite3_3.53.2.orig-www.tar.xz
 63fac4ada4b24ea9b172da98268d2c96e0ac99ef66e94fbc1eb7ed46826a248c 8640640 sqlite3_3.53.2.orig.tar.xz
 996993db516fd37ca96ced2cfd0267636f34f61c03a91607da64a52b964b307d 30948 sqlite3_3.53.2-1.debian.tar.xz
Files:
 302de37dc91e1b75fa0be481749ffc05 2641 devel optional sqlite3_3.53.2-1.dsc
 c7dbbac54f6ba8c18231f30a192c0a12 6328772 devel optional sqlite3_3.53.2.orig-www.tar.xz
 9560676f99a087eb14978662d2773418 8640640 devel optional sqlite3_3.53.2.orig.tar.xz
 21862fd594979ddc453ef97d58a3fdb4 30948 devel optional sqlite3_3.53.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmouT2IACgkQ3OMQ54ZM
yL+QYg/+LVBoXPKxNRyLnL87wsK+k6kfw1UQew+0u9KvsP3h2iESVquAGoUEhgfg
Bq8jcyQ+oNjbvZ1AL+lFPPIt04opv8plkOkGmPHNs1oBpiiycpENT7lIlj9BRW6G
NxZLsUMtktbsX+aGOSbVQCiXYFW/7eHKKkVQaCe7N6cZWxmpHUamw9S2TWIH3yWB
usmZBrJldV58pXLgM7qKvMbOIC8b0KyVyeZv7hCkKedTDP0D5iH9HAmkO3U2M28u
xkGC7y9tpZYqyyPVHhOAG0AkjHQ4MI8AOLVDWZU86A16B4VfxkdypFx5zZPbg0bU
XFzCgM4umlptDSJR2muWyENC4qzuW4gt0bIA+jogleB6s50Er5x25FyxjSPQKcoH
dzJygza948kujajR8P7KS2wCj6Z7UxLGI7drLfJ/pdpBqYntdX3Zvih9R/YmW5oG
M50EjsM/3O2f641/cIodSn0p+AYXBRca6TGKKmkRYW+6VEwjazsQxl1fYcuC0KOb
3a5AMvByoraeITYTM3i4R4kG6W5Vdw75qJydmgTXgXUy/6vPpgCjuTCsXc+awHSs
QoAbMPzvgtDURUDl69Vv1dNhSptkD8NNq7PEkClE/N5KsSu/Yt6rn38osOeHcIXK
mEr+teEvKOgd2B/1od9P5XnD4VDVVVzhorqUd2QvHIMaokh0TIQ=
=K+/i
-----END PGP SIGNATURE-----

Hi Salvatore,
 I've checked and Bookworm is definitely affected. The fixes are easy
to backport. Information I've found suggests that these might have a
PoC available.
As far as I know, there's no application in Debian that allows network
connection and uses input directly with FTS5. But as the package is
compiled with FTS5 support, local exploits might be possible.
Does this help? Can I help with more details?

Regards,
Laszlo/GCS

Hi László,

Yes thank you that helps. Moritz did mark those already as no-dsa in
the tracker, would you be open to fix those then via upcoming point
release for trixie? Maybe, if LTS team does not consider a DLA, then
the fixes might be included as well in the last bookworm point release
(and if feasible along with the two more no-dsa tagged ones).

Thanks for your work!

Regards,
Salvatore

 Indeed, I will prepare the Trixie PU. Meanwhile I've found that
there's an additional changeset for this vulnerability [1]. I don't
know how official it is, but it might be worth adding it to the Debian
security entry if you agree.

Regards,
Laszlo/GCS
[1] https://sqlite.org/src/info/fad98805b7d73abf