Critical vulnerabilities found in SQLite

Cybersecurity specialists have reported the finding of at least two critical vulnerabilities in SQLite, the popular open source relational database management system. According to the report, exploiting these vulnerabilities could lead to denial of service (DDoS) attack scenarios.

Below is a brief overview of the vulnerabilities found, in addition to their respective scores and identification keys according to the Common Vulnerability Scoring System (CVSS).

The first of the vulnerabilities found, tracked as CVE-2020-13434, exists due to an integer overflow within the sqlite3_str_vappendf() function in printf.c and would allow threat actors to deploy a denial of service attack.

Remote hackers could pass specially designed data to the target application, trigger integer overflow and eventually crash the app. The vulnerability received a score of 6.5/10 on the CVSS scale, so it is considered a medium severity flaw.

To exploit this flaw, malicious hackers would have to send a specially crafted request to the affected application. Although the vulnerability could be exploited by a remote threat actor over the Internet, so far it has not been confirmed that malware has been found to trigger the attack.

Moreover, the second reported vulnerability (tracked as CVE-2020-13435) exists due to insufficient input validation provided by users in the sqlite3ExprCodeTarget() function on expr.c, and would allow malicious hackers to deploy denial of service attacks.

Threat actors can pass specially designed inputs to the target application, triggering the attack. The vulnerability received a score of 6.6/10 on the CVSS scale, so it is considered a medium severity flaw.


To exploit the vulnerability, hackers would only need to send specially crafted requests to the target application. Although the vulnerability can be exploited remotely by unauthenticated attackers, so far no malware has been detected to trigger the attack.

Developers recognized the vulnerabilities and began working on an update patch immediately after receiving the report. Fixes are now available, so vulnerable deployment administrators are encouraged to install the appropriate updates as soon as possible.   

Other similar flaws have been reported above. In early April, SQLite revealed an insufficient validation flaw of user input when improperly handling the initialization of the AggInfo object. Its exploitation allows a remote threat actor to deploy denial of service attacks by sending specially designed information using a formatted function query, triggering the DDoS condition.