Use After Free Affecting sqlite3 package, versions <2.9.5


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-SQLITE3-17900540
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditcla7aye15I4nd

Introduced: 8 Jul 2026

NewCVE-2026-54619  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade sqlite3 to version 2.9.5 or higher.

Overview

Affected versions of this package are vulnerable to Use After Free in Database#define_function and Database#create_function through the custom function registry in lib/sqlite3/database.rb. An attacker can trigger a segmentation fault by redefining the same SQLite function name with a different arity or text encoding, then invoking the earlier definition after garbage collection. This leaves Ruby block references for the original function freed while SQLite still holds a callable function entry, causing invalid memory reads when the function is executed.

Notes

  • The maintainer's advisory scope is the database object’s custom-function registry in the Ruby wrapper; it is not limited to one registration API, since both create_function and define_function feed the same lifetime-managed function storage.
  • The crash is easiest to reach in code that redefines a custom function under the same name with a different arity or text encoding and then lets Ruby’s GC run before the earlier SQL call path is exercised.

Workarounds

  • Avoid defining multiple custom SQLite functions with the same name but different arities or text encodings via Database#create_function or Database#define_function; this prevents the use-after-free and segmentation fault triggered when the earlier definition is later invoked after garbage collection.

CVSS Base Scores

version 4.0
version 3.1