Use-After-Free in SQLite Aggregate Function Callbacks
Published: June 07, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54620 (NVD)
- GHSA: GHSA-j7fr-3v8c-3qc3
GEM
PATCHED VERSIONS
>= 2.9.5
DESCRIPTION
Summary
Using Database#create_aggregate, #create_aggregate_handler, or Database#define_aggregator to define an aggregate function, and then using an open statement calling that function after the database has been explicitly closed will result in an invalid memory read and a segmentation fault.
Severity
The sqlite3-ruby repo maintainers assess this as Low severity. It is reliably triggered after GC when code is structured in a particular way. There is no known general exploit that could be used as a denial of service attack.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54620
- https://rubygems.org/gems/sqlite3/versions/2.9.5
- https://github.com/sparklemotion/sqlite3-ruby/releases/tag/v2.9.5
- https://github.com/sparklemotion/sqlite3-ruby/pull/711
- https://github.com/sparklemotion/sqlite3-ruby/security/advisories/GHSA-j7fr-3v8c-3qc3
