Talos security researchers discovered a Use After Free vulnerability in SQLite, allows attackers to send malicious SQL commands to trigger the vulnerability.
The free vulnerability exists in the window function functionality of Sqlite3; the flaw can be tracked as CVE-2019-5018; it affects SQLite 3.26.0, 3.27.0 and receives 8.1 – CVSS:3.0 score.
SQLite is a favorite library used in implementing SQL database engine; it is used extensively in a number of devices including mobile devices, browsers, hardware devices, and user applications.
“SQLite implements the Window Functions feature of SQL which allows queries over a subset, or “window,” of rows. After parsing a SELECT statement that contains a window function, the SELECT statement is transformed using the sqlite3WindowRewrite function.”