SUSE-SU-2026:22104-1: important: Security update for sqlite3

SLE-SECURITY-UPDATES null at suse.de
Tue Jun 16 20:39:20 UTC 2026 

# Security update for sqlite3

Announcement ID: SUSE-SU-2026:22104-1  
Release Date: 2026-06-15T09:13:01Z  
Rating: important  
References:

  * bsc#1268012
  * bsc#1268013

  
Cross-References:

  * CVE-2026-11822
  * CVE-2026-11824

  
CVSS scores:

  * CVE-2026-11822 ( SUSE ):  7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-11822 ( NVD ):  8.5
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  * CVE-2026-11822 ( NVD ):  7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-11824 ( SUSE ):  7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-11824 ( NVD ):  8.5
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  * CVE-2026-11824 ( NVD ):  7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

  
Affected Products:

  * SUSE Linux Micro 6.0

  
  
An update that solves two vulnerabilities can now be installed.

## Description:

This update for sqlite3 fixes the following issues

Update to 3.53.2:

  * CVE-2026-11822: memory corruption vulnerabilities in the FTS5 full-text
    search extension that allow attackers to cause process crashes, memory
    exhaustion, or arbitrary code execution (bsc#1268012).
  * CVE-2026-11824: heap-based buffer overflow vulnerability in the FTS5 full-
    text search extension that allows attackers to cause a crash or execute
    arbitrary code (bsc#1268013).

Changes:

  * Add the Query Result Formatter (QRF) library for formatting the results of
    SQL queries for human readability on a fixed-pitch font screen.
  * Enhance ALTER TABLE to permit adding and removing NOT NULL and CHECK
    constraints.
  * The REINDEX EXPRESSIONS statement rebuilds expression indexes.
  * The body of TEMP triggers may now modify and/or query tables in the main
    schema.
  * Enhance VACUUM INTO so that if a URI filename is used as the target and that
    filename has a reserve=N query parameter with N between 0 and 255, then the
    reserve amount for the generated database copy is set to N.
  * New SQL functions json_array_insert() and jsonb_array_insert().
  * Renovations to the CLI.
  * New C-language interfaces: sqlite3_str_truncate(), sqlite3_str_free(),
    sqlite3_carray_bind_v2().
  * Add the SQLITE_PREPARE_FROM_DDL option to sqlite3_prepare_v3().
  * Added the SQLITE_UTF8_ZT constant which can be used as the encoding
    parameter to sqlite3_result_text64() or sqlite3_bind_text64() to indicate
    that the value is UTF-8 encoded and zero terminated.
  * The SQLITE_LIMIT_PARSER_DEPTH option is added to sqlite3_limit().
  * The SQLITE_DBCONFIG_FP_DIGITS option is added to sqlite3_db_config().
  * Query planner improvements.
  * Add new interfaces to the session extension that enable an application to
    add changes one at a time to the sqlite3_changegroup object.
  * Improvements to floating-point <-> text conversions.
  * Added the self-healing index feature to deal with the stale expression index
    problem.
  * Add the "-p|--port" option to sqlite3_rsync.
  * Add the "opfs-wl" VFS, functionally identical to the "opfs" VFS but using
    Web Locks for locking, which can promise fairer lock sharing than the "opfs"
    bespoke protocol can. "opfs-wl" requires Atomics.waitAsync(), so requires
    newer browsers than "opfs" does.
  * Fixes for problems in 3.53.0 and 3.53.1 reported by users.
  * See the check-in timeline for details:
    https://sqlite.org/src/timeline?from=version-3.53.0&to=version-3.53.2

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.0  
    zypper in -t patch SUSE-SLE-Micro-6.0-754=1

## Package List:

  * SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
    * sqlite3-debugsource-3.53.2-1.1
    * libsqlite3-0-3.53.2-1.1
    * libsqlite3-0-debuginfo-3.53.2-1.1

## References:

  * https://www.suse.com/security/cve/CVE-2026-11822.html
  * https://www.suse.com/security/cve/CVE-2026-11824.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1268012
  * https://bugzilla.suse.com/show_bug.cgi?id=1268013

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260616/35d7ae20/attachment.htm>

More information about the sle-security-updates mailing list