Integer Truncation on SQLite
Summary
| CVE | CVE-2025-6965 |
|---|---|
| State | PUBLISHED |
| Assigner | |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-07-15 14:15:31 UTC |
| Updated | 2026-04-14 10:16:29 UTC |
| Description | There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. |
Risk And Classification
Primary CVSS: v4.0 7.2 HIGH from [email protected]
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green
EPSS: 0.011820000 probability, percentile 0.787930000 (date 2026-04-15)
Problem Types: CWE-197 | CWE-197 CWE-197: Numeric Truncation Error
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.2 | HIGH | CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/C... |
| 4.0 | CNA | CVSS | 7.2 | HIGH | CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/S:N/A... |
| 3.1 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighAttack Requirements
PresentPrivileges Required
LowUser Interaction
NoneConfidentiality
LowIntegrity
HighAvailability
LowSub Conf.
LowSub Integrity
HighSub Availability
LowCVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | SQLite | SQLite | affected 3.50.2 semver | Not specified |
| ADP | Siemens | RUGGEDCOM CROSSBOW Station Access Controller SAC | affected V5.8 custom | Not specified |
| ADP | Siemens | SIDIS Prime | affected V4.0.800 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| seclists.org/fulldisclosure/2025/Sep/49 | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | |
| seclists.org/fulldisclosure/2025/Sep/57 | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | |
| www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b9... | [email protected] | www.sqlite.org | Patch |
| www.openwall.com/lists/oss-security/2025/09/06/1 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| seclists.org/fulldisclosure/2025/Sep/53 | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | |
| seclists.org/fulldisclosure/2025/Sep/56 | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | |
| cert-portal.siemens.com/productcert/html/ssa-225816.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| cert-portal.siemens.com/productcert/html/ssa-485750.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| seclists.org/fulldisclosure/2025/Sep/58 | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Vlad Stolyarov of Google's Threat Analysis Group, with assistance from Google Big Sleep (en)
There are currently no legacy QID mappings associated with this CVE.