Use-After-Free When Redefining SQLite Functions with Different Arity
Published: June 07, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54619 (NVD)
- GHSA: GHSA-28hh-pr2h-2w89
GEM
UNAFFECTED VERSIONS
< 2.1.0
PATCHED VERSIONS
>= 2.9.5
DESCRIPTION
Summary
Using Database#create_function or Database#define_function to define the same function name more than once with different numbers of arguments ("arity") or text encodings will result in a invalid memory read and a segmentation fault.
Severity
The sqlite3-ruby repo maintainers assess this as Low severity. It is reliably triggered after GC when code is structured in a particular way. There is no known general exploit that could be used as a denial of service attack.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54619
- https://rubygems.org/gems/sqlite3/versions/2.9.5
- https://github.com/sparklemotion/sqlite3-ruby/releases/tag/v2.9.5
- https://github.com/sparklemotion/sqlite3-ruby/pull/711
- https://github.com/sparklemotion/sqlite3-ruby/security/advisories/GHSA-28hh-pr2h-2w89
