Back to list

In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is — CVE-2025-29087

Date
Source
MSRC
Vendor
Microsoft
Threat
low
CVSS
3.2

Summary

Advisory CVE-2025-29087. In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a… Vendor: Microsoft. Source: MSRC. Threat: low. CVSS 3.2. See the official advisory for…

What to do

General, cautious steps (verify details in the official source):

  • Review exposure and plan remediation based on risk and environment.
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

Microsoft MSRC 2025-W15