CVE-2025-71316

Summary

SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options. Fixed on or around 2025-12-26.

Affected Software

VendorProductVersion RangeStatus
SQLitesqldiff0 < 2025-12-26affected
SQLitesqldiff2025-12-26unaffected

Weaknesses

  • CWE-176: CWE-176 Improper Handling of Unicode Encoding

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References