Use After Free Affecting sqlite3 package, versions >=2.1.0, <2.9.5


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-SQLITE3-17900536
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditcla7aye15I4nd

Introduced: 8 Jul 2026

NewCVE-2026-54620  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade sqlite3 to version 2.9.5 or higher.

Overview

Affected versions of this package are vulnerable to Use After Free via the aggregate function callbacks in Database#create_aggregate, #create_aggregate_handler, and Database#define_aggregator. An attacker can trigger an invalid memory read and segmentation fault by keeping a prepared statement that calls an aggregate function alive after the database has been explicitly closed or discarded, then stepping that statement. The vulnerable code clears the database’s -aggregators reference on close and discard, leaving aggregate callback objects eligible for garbage collection while an open statement still references them. This breaks applications that close a database while outstanding statements remain and can crash the process when the statement later executes.

Notes

  • The crash depends on the database being closed with a prepared statement still alive; code that finalizes or drops outstanding statements before closing does not hit this path.
  • The advisory covers the aggregate-callback APIs exposed by the gem’s Ruby wrapper, not ordinary scalar query execution.

Workarounds

  • Avoid calling an aggregate function from a prepared statement after the associated database has been explicitly closed, including soft-close paths such as close or discard; this prevents the invalid memory read and segmentation fault triggered when the statement is stepped later.

CVSS Base Scores

version 4.0
version 3.1