RubySec

Providing security resources for the Ruby community

CVE-2026-54620 (sqlite3): Use-After-Free in SQLite Aggregate Function Callbacks

Use-After-Free in SQLite Aggregate Function Callbacks

Published: June 07, 2026

SECURITY IDENTIFIERS

GEM

sqlite3

PATCHED VERSIONS

>= 2.9.5

DESCRIPTION

Summary

Using Database#create_aggregate, #create_aggregate_handler, or Database#define_aggregator to define an aggregate function, and then using an open statement calling that function after the database has been explicitly closed will result in an invalid memory read and a segmentation fault.

Severity

The sqlite3-ruby repo maintainers assess this as Low severity. It is reliably triggered after GC when code is structured in a particular way. There is no known general exploit that could be used as a denial of service attack.

RELATED