VA-26-155-01

Vulnerability from csaf_cisa - Published: 2026-06-04 14:10 - Updated: 2026-06-04 14:10
Summary
SQLite sqldiff remote code execution via argument injection
Notes
Legal Notice: All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).
Countries and Areas Deployed: Worldwide
Critical Infrastructure Sectors: Information Technology
Risk Evaluation: An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options.
Recommended Practices: Fixed on 2025-12-26.
Company Headquarters Location: United States
CVE-2025-71316
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-176 - Improper Handling of Unicode Encoding
Affected products
Product Identifier Version Remediation
SQLite sqldiff <2025-12-26
SQLite / sqldiff
 <2025-12-26
Vendor Fix fix
Product Identifier Version Remediation
SQLite sqldiff 2025-12-26
SQLite / sqldiff
 2025-12-26
Vendor Fix fix
References
Acknowledgments
Vincent55
To clipboard 

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).",
        "title": "Legal Notice"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries and Areas Deployed"
      },
      {
        "category": "other",
        "text": "Information Technology",
        "title": "Critical Infrastructure Sectors"
      },
      {
        "category": "summary",
        "text": " An attacker could use the \u0027-L\u0027 option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options.",
        "title": "Risk Evaluation"
      },
      {
        "category": "general",
        "text": "Fixed on 2025-12-26.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company Headquarters Location"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "https://www.cisa.gov/report",
      "issuing_authority": "CISA",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "Vulnerability Advisory VA-26-155-01 CSAF",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-155-01.json"
      }
    ],
    "title": "SQLite sqldiff remote code execution via argument injection",
    "tracking": {
      "current_release_date": "2026-06-04T14:10:30Z",
      "generator": {
        "engine": {
          "name": "VINCE-NT",
          "version": "1.15.0+build.86"
        }
      },
      "id": "VA-26-155-01",
      "initial_release_date": "2026-06-04T14:10:30Z",
      "revision_history": [
        {
          "date": "2026-06-04T14:10:30Z",
          "number": "1.0.0",
          "summary": "Initial publication"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2025-12-26",
                "product": {
                  "name": "SQLite sqldiff \u003c2025-12-26",
                  "product_id": "CSAFPID-0001"
                }
              },
              {
                "category": "product_version",
                "name": "2025-12-26",
                "product": {
                  "name": "SQLite sqldiff 2025-12-26",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "sqldiff"
          }
        ],
        "category": "vendor",
        "name": "SQLite"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Vincent55"
          ]
        }
      ],
      "cve": "CVE-2025-71316",
      "cwe": {
        "id": "CWE-176",
        "name": "Improper Handling of Unicode Encoding"
      },
      "notes": [
        {
          "category": "summary",
          "text": "SQLite \u0027sqldiff.exe\u0027 does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages.  An attacker could use the \u0027-L\u0027 option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options. Fixed on or around 2025-12-26.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:T/2026-06-04T17:02:25Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0002"
        ],
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "sqlite.org",
          "url": "https://sqlite.org/src/file/tool/winmain.c"
        },
        {
          "category": "external",
          "summary": "learn.microsoft.com",
          "url": "https://learn.microsoft.com/en-us/windows/win32/api/processenv/nf-processenv-getcommandlinea#security-remarks"
        },
        {
          "category": "external",
          "summary": "i.blackhat.com",
          "url": "https://i.blackhat.com/EU-24/Presentations/EU-24-Tsai-V2-WorstFit-Unveiling-Hidden-Transformers-in-Windows-ANSI.pdf"
        },
        {
          "category": "external",
          "summary": "VA-26-155-01",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-155-01.json"
        },
        {
          "category": "external",
          "summary": "CVE-2025-71316",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-71316"
        }
      ],
      "release_date": "2025-12-26T00:00:00Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-26T00:00:00Z",
          "details": "Fixed on 2025-12-26.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://sqlite.org/src/file/tool/winmain.c"
        },
        {
          "category": "vendor_fix",
          "date": "2025-12-26T00:00:00Z",
          "details": "Fixed on 2025-12-26.",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://sqlite.org/src/file/tool/winmain.c"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "SQLite sqldiff remote code execution via argument injection"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.