CVE-2019-5018: Use-After-Free Vulnerability in SQLite3 versions 3.26.0 and 3.27.0

On May 9, Cisco's Talos team published a vulnerability disclosure for an exploitable use-after-free remote code execution vulnerability in SQLite versions 3.26.0 and 3.27.0. It received a CVSSv3 score of 8.1. According to Cisco, an attacker can exploit this vulnerability by sending a malicious SQL command, which could result in remote code execution on a victim's machine. The vulnerability exists in the window.c library of SQLite, which reuses a deleted partition in exprListAppendList, leading to a use-after free vulnerability. Cisco notes that code execution is possible if an attacker is able to gain control of this memory after it is freed. They’ve also provided a proof-of-concept (PoC) along with this vulnerability disclosure report.

Exploitation of this vulnerability has not yet been observed in the wild and it appears it would require additional effort to exploit.

CVE-2019-5018 has been addressed in SQLite 3.28.0 and later. If you are using SQLite 3.26.0 or 3.27.0 in any of your projects or aware of any applications you use that may be vulnerable, please update as soon as possible or monitor for software updates in those applications that address this vulnerability.