CVE-2025-7458
CRITICALSQLite 3.39.2-3.41.1 - Denial of Service and Information Disclosure via ORDER BY Clause
Title source: llmDescription
An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.
References (2)
Core 2
Core References
Patch patch
https://sqlite.org/src/info/12ad822d9b827777
Issue Tracking
https://sqlite.org/forum/forumpost/16ce2bb7a639e29b
Scores
CVSS v3
9.1
EPSS
0.0022
EPSS Percentile
12.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-190
Status
published
Products (1)
sqlite/sqlite
3.39.2 - 3.41.2
Published
Jul 29, 2025
Tracked Since
Feb 18, 2026