ALAS2023-2026-1903


Amazon Linux 2023 Security Advisory: ALAS2023-2026-1903
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
Severity: Important

Issue Overview:

SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database. (CVE-2026-11822)

SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5. (CVE-2026-11824)


Affected Packages:

sqlite


Issue Correction:
Run dnf update sqlite --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1903 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    sqlite-debugsource-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-debuginfo-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-devel-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-analyzer-debuginfo-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-tcl-3.40.0-1.amzn2023.0.8.aarch64
    lemon-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-tools-debuginfo-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-analyzer-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-libs-debuginfo-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-tools-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-tcl-debuginfo-3.40.0-1.amzn2023.0.8.aarch64
    sqlite-libs-3.40.0-1.amzn2023.0.8.aarch64
    lemon-debuginfo-3.40.0-1.amzn2023.0.8.aarch64

noarch:
    sqlite-doc-3.40.0-1.amzn2023.0.8.noarch

src:
    sqlite-3.40.0-1.amzn2023.0.8.src

x86_64:
    sqlite-debugsource-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-libs-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-tools-debuginfo-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-tcl-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-debuginfo-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-tcl-debuginfo-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-analyzer-debuginfo-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-analyzer-3.40.0-1.amzn2023.0.8.x86_64
    lemon-debuginfo-3.40.0-1.amzn2023.0.8.x86_64
    lemon-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-devel-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-tools-3.40.0-1.amzn2023.0.8.x86_64
    sqlite-libs-debuginfo-3.40.0-1.amzn2023.0.8.x86_64