From b97db5d62c0468093d6f241ae160bda04949aabd Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Wed, 8 Jul 2026 13:45:33 -0400 Subject: [PATCH 1/4] Two new sqlite3 advisories --- gems/sqlite3/CVE-2026-54619.yml | 33 ++++++++++++++++++++++++++++++++ gems/sqlite3/CVE-2026-54620.yml | 34 +++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 gems/sqlite3/CVE-2026-54619.yml create mode 100644 gems/sqlite3/CVE-2026-54620.yml diff --git a/gems/sqlite3/CVE-2026-54619.yml b/gems/sqlite3/CVE-2026-54619.yml new file mode 100644 index 0000000000..69020fc08f --- /dev/null +++ b/gems/sqlite3/CVE-2026-54619.yml @@ -0,0 +1,33 @@ +--- +gem: sqlite3 +cve: 2026-54619 +ghsa: 28hh-pr2h-2w89 +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54619 +title: Use-After-Free When Redefining SQLite Functions with Different Arity +date: 2026-06-07 +description: | + ## Summary + + Using Database#create_function or Database#define_function to define + the same function name more than once with different numbers of + arguments ("arity") or text encodings will result in a invalid memory + read and a segmentation fault. + + ## Severity + + The sqlite3-ruby repo maintainers assess this as Low severity. It is + reliably triggered after GC when code is structured in a particular way. + There is no known general exploit that could be used as a denial + of service attack. +patched_versions: + - ">= 2.9.5" +related: + url: + - https://rubygems.org/gems/sqlite3/versions/2.9.5 + - https://github.com/sparklemotion/sqlite3-ruby/releases/tag/v2.9.5 + - https://github.com/sparklemotion/sqlite3-ruby/pull/711 + - https://github.com/sparklemotion/sqlite3-ruby/security/advisories/GHSA-28hh-pr2h-2w89 +notes: | + - NOTE: The gem name is "sqlite3", not the repo name "sqlite3-ruby". + - CVE is reserved, but not published so GHSA Security is + low and no non-GHSA cvss values. diff --git a/gems/sqlite3/CVE-2026-54620.yml b/gems/sqlite3/CVE-2026-54620.yml new file mode 100644 index 0000000000..7f8b2a0667 --- /dev/null +++ b/gems/sqlite3/CVE-2026-54620.yml @@ -0,0 +1,34 @@ +--- +gem: sqlite3 +cve: 2026-54620 +ghsa: j7fr-3v8c-3qc3 +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54620 +title: Use-After-Free in SQLite Aggregate Function Callbacks +date: 2026-06-07 +description: | + ## Summary + + Using Database#create_aggregate, #create_aggregate_handler, or + Database#define_aggregator to define an aggregate function, and + then using an open statement calling that function after the database + has been explicitly closed will result in an invalid memory read + and a segmentation fault. + + ## Severity + + The sqlite3-ruby repo maintainers assess this as Low severity. It is + reliably triggered after GC when code is structured in a particular way. + There is no known general exploit that could be used as a denial + of service attack. +patched_versions: + - ">= 2.9.5" +related: + url: + - https://rubygems.org/gems/sqlite3/versions/2.9.5 + - https://github.com/sparklemotion/sqlite3-ruby/releases/tag/v2.9.5 + - https://github.com/sparklemotion/sqlite3-ruby/pull/711 + - https://github.com/sparklemotion/sqlite3-ruby/security/advisories/GHSA-j7fr-3v8c-3qc3 +notes: | + - NOTE: The gem name is "sqlite3", not the repo name "sqlite3-ruby". + - CVE is reserved, but not published so GHSA Security is + low and no non-GHSA cvss values. From f8246aa472cab7489c29c9803408b76a1e984606 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Wed, 8 Jul 2026 15:13:26 -0400 Subject: [PATCH 2/4] Add CVE-2026-54619 URL to url: field --- gems/sqlite3/CVE-2026-54619.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/gems/sqlite3/CVE-2026-54619.yml b/gems/sqlite3/CVE-2026-54619.yml index 69020fc08f..d0557edbde 100644 --- a/gems/sqlite3/CVE-2026-54619.yml +++ b/gems/sqlite3/CVE-2026-54619.yml @@ -23,6 +23,7 @@ patched_versions: - ">= 2.9.5" related: url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54619 - https://rubygems.org/gems/sqlite3/versions/2.9.5 - https://github.com/sparklemotion/sqlite3-ruby/releases/tag/v2.9.5 - https://github.com/sparklemotion/sqlite3-ruby/pull/711 From 997209a24ea8d4b9f7449def255ec695e6dd6275 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Wed, 8 Jul 2026 15:14:39 -0400 Subject: [PATCH 3/4] Add related URLs for CVE-2026-54620 --- gems/sqlite3/CVE-2026-54620.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/gems/sqlite3/CVE-2026-54620.yml b/gems/sqlite3/CVE-2026-54620.yml index 7f8b2a0667..95fc33a98e 100644 --- a/gems/sqlite3/CVE-2026-54620.yml +++ b/gems/sqlite3/CVE-2026-54620.yml @@ -24,6 +24,7 @@ patched_versions: - ">= 2.9.5" related: url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54620 - https://rubygems.org/gems/sqlite3/versions/2.9.5 - https://github.com/sparklemotion/sqlite3-ruby/releases/tag/v2.9.5 - https://github.com/sparklemotion/sqlite3-ruby/pull/711 From c0fc7a48ec0ac350951fdf2cd7a8adb6faccb84a Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Wed, 8 Jul 2026 15:34:30 -0400 Subject: [PATCH 4/4] Update CVE-2026-54619.yml with unaffected versions Add unaffected versions for CVE-2026-54619 in SQLite3. --- gems/sqlite3/CVE-2026-54619.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gems/sqlite3/CVE-2026-54619.yml b/gems/sqlite3/CVE-2026-54619.yml index d0557edbde..f82f7ccb5a 100644 --- a/gems/sqlite3/CVE-2026-54619.yml +++ b/gems/sqlite3/CVE-2026-54619.yml @@ -19,6 +19,8 @@ description: | reliably triggered after GC when code is structured in a particular way. There is no known general exploit that could be used as a denial of service attack. +unaffected_versions: + - "< 2.1.0" patched_versions: - ">= 2.9.5" related: