CVE-2026-11824: SQLite FTS5 Heap Overflow Requires Upgrade to 3.53.2

Impact first. CVE-2026-11824 affects SQLite versions before 3.53.2 when applications are built with SQLITE_ENABLE_FTS5. The flaw is a heap-based buffer overflow in the FTS5 full-text search extension. It can crash an application. It can also allow arbitrary code execution under the privileges of the vulnerable process.

The supplied Microsoft Security Update Guide title does not match the authoritative CVE record. NVD lists CVE-2026-11824 as a SQLite vulnerability sourced from VulnCheck, not as a Microsoft product issue. Treat this as a SQLite dependency exposure. Microsoft software may still be affected if it embeds a vulnerable SQLite build with FTS5 enabled, but that requires product-specific confirmation.

Affected products

Affected software is SQLite before 3.53.2. The vulnerable path requires FTS5 support. FTS5 is SQLite's full-text search engine. Applications use it to index and query text content with MATCH expressions, tokenizers, and virtual tables.

The highest-risk systems are applications that open SQLite database files supplied by users, customers, partners, plugins, sync folders, browser extensions, mobile imports, email attachments, support bundles, or forensic collections. This includes desktop tools, mobile apps, document processors, search tools, endpoint utilities, and services that inspect uploaded databases.

The vulnerable condition is specific. An attacker supplies a crafted SQLite database with malicious FTS5 continuation page metadata. The metadata specifies a szLeaf value smaller than 4. During FTS5 MATCH query processing, fts5ChunkIterate() can hit an integer underflow. That underflow inflates a remaining byte count. The result is a heap buffer overflow involving attacker-controlled data.

Severity

VulnCheck rates the issue high severity. The advisory assigns CVSS 4.0 score 8.5, high, with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. NVD also shows a CNA-provided CVSS 3.1 score of 7.8, high, with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

The vector matters. Local attack vector does not mean low operational risk. SQLite is often used as a file parser inside larger applications. If a user opens a malicious database, imports one, indexes one, or lets an automated workflow process one, the local boundary can become a realistic initial execution path.

User interaction is required in the CVSS 3.1 vector. That interaction may be indirect. A user might open a file. A service might process a file uploaded by another user. A support engineer might inspect a database attached to a ticket. An automated job might run an FTS5 query during ingestion.

Technical details

FTS5 stores full-text index data inside SQLite-managed structures. A normal database page describes data layout, sizes, and continuation records. CVE-2026-11824 abuses malformed continuation page metadata. The vulnerable code trusts a size relationship that can be broken by a crafted database.

The dangerous value is szLeaf. When it is smaller than 4, arithmetic inside fts5ChunkIterate() can underflow. In unsigned or size-based arithmetic, subtracting from a too-small value can wrap into a large value. Code that thinks only a small chunk remains can instead attempt to process a much larger byte range.

That is the core bug. Bad metadata becomes bad length calculation. Bad length calculation becomes heap memory corruption. Heap corruption can produce denial of service. Under the right allocator, build, platform, and memory layout conditions, it can become code execution.

The issue maps to CWE-122, Heap-based Buffer Overflow. That class remains dangerous because the heap stores application objects, buffers, pointers, and allocator metadata. Modern mitigations raise exploitation cost, but they do not make memory corruption harmless.

Timeline

SQLite released version 3.53.2 on June 3, 2026. The release notes describe fixes for problems reported after 3.53.0 and point to the SQLite source timeline for details.

VulnCheck published its advisory on June 9, 2026. NVD records show the CVE was received from VulnCheck on June 9, 2026, at 4:16:32 PM. NIST initial analysis followed on June 11, 2026, at 1:12:11 PM. NVD lists affected CPE configuration as SQLite versions up to, but excluding, 3.53.2.

SQLite fix references include source check-ins 061febcf41ca and 4a5ad516ea93. Organizations should track downstream package advisories as Linux distributions, language runtimes, SDKs, and application vendors rebuild their bundled SQLite copies.

Required action

Upgrade SQLite to 3.53.2 or later. Do not stop at operating system package checks. Many applications statically link SQLite or ship private copies. Inventory embedded SQLite libraries in desktop apps, mobile apps, containers, language packages, browser components, endpoint agents, and vendor products.

Confirm the runtime version. Use sqlite3_libversion() in application diagnostics where possible. Check package manager output only for dynamically linked system libraries. For statically linked binaries, inspect build manifests, SBOMs, vendor notices, or binary provenance.

Rebuild affected applications with SQLite 3.53.2 or later. Redeploy the rebuilt artifacts. Restart services that load SQLite into long-running processes. Re-test any feature that uses FTS5 virtual tables or MATCH queries.

If immediate upgrade is not possible, reduce exposure. Disable FTS5 where the application does not require full-text search. Reject untrusted SQLite database files. Block automatic indexing of uploaded SQLite files. Run database inspection workflows in a sandboxed process with least privilege. Treat SQLite files from outside the trust boundary as active content, not passive data.

Add detection logic for risky workflows. Look for applications that accept .sqlite, .sqlite3, .db, or application-specific database exports. Prioritize systems that run FTS5 searches over imported data. Prioritize tools used by analysts, support staff, and administrators, because those users often handle untrusted samples with elevated local permissions.

Operational priority

Patch internet-facing upload processors first if they parse SQLite files. Patch endpoint and desktop applications next if users can open external database files. Patch developer tools, mobile sync utilities, and internal data inspection tools after that. Embedded dependencies are the hard part. They are also where old SQLite versions persist.

This is a dependency vulnerability with application-level blast radius. The SQLite engine is small, widely embedded, and often invisible in asset inventories. The fix is available. Upgrade to SQLite 3.53.2 or later, rebuild dependent software, and restrict untrusted database handling until patched builds are deployed.