SQLite released 3.26.0 on 2018-12-01 to fix a remote code execution vulnerability. This vulnerability was found by Tencent Blade Team and the details of the specific vulnerability have not been made public. It is currently named Magellan. The Chromium browser was affected by the Blade team test. Google and SQLite have also confirmed and fixed the vulnerability.
The vulnerability can be triggered by calling the Web SQL API, modifying the database table, and using the SQLite database indexing operation to trigger the vulnerability and implementing remote code execution in the browser Render process. Other applications that use SQLite can also implement remote code execution in a similar manner.
- SQLite < v3.26.0
- Chromium < v71.0.3578.80
Please update Chromium and SQLite to the latest version.