CVE-2025-29088
Published: April 12, 2025Last modified: November 26, 2025
Description
An issue in sqlite v.3.49.0 allows an attacker to cause a denial of service via the SQLITE_DBCONFIG_LOOKASIDE component
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | NONE |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Notes
NB: The score seems wrong. The bug is in the C API, that a remote attacker has no access to. See e.g. https://sqlite.org/forum/forumpost/48f365daec7e50af01350d72c19c317f02e5fc0d3b1e778256d1fbd8081eec5d See also CVE-2025-52099 which is a bogus copy of this CVE.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | sqlite | Not affected (3.40.0-r0) |
| 25 LTS | sqlite | Not affected (3.49.2-r0) | |
| Stream | sqlite | Fixed (3.49.1-r0) | |
| Hardened Containers | 23 LTS | sqlite | Not affected (3.40.0-r0) |
| Stream | sqlite | Fixed (3.49.1-r0) |