VAR-201504-0478 — Vulnetix

Try Vulnetix Request Demo

VAR-201504-0478 PUBLISHED

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a

Timeline

Apr 3, 2009 CVE Published
Sep 12, 2017 PoC Published
Mar 31, 2026 Distribution Patch
Mar 31, 2026 Distribution Patch
Mar 31, 2026 Security Advisory
Mar 31, 2026 Security Advisory

References

RHSA-2015:1635 vendor-advisory
1033703 vdb
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html url
74228 vdb
APPLE-SA-2015-09-30-3 vendor-advisory
GLSA-201507-05 vendor-advisory
USN-2698-1 vendor-advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html url
https://support.apple.com/HT205267 url
APPLE-SA-2015-09-21-1 vendor-advisory
https://www.sqlite.org/src/info/02e3c88fbf6abdcf3975fb0fb71972b0ab30da30 url
MDVSA-2015:217 vendor-advisory
https://support.apple.com/HT205213 url
DSA-3252 vendor-advisory
20150414 several issues in SQLite (+ catching up on several other bugs) mailing-list

Open in Interactive Console →