CVE-2019-16168
6.5 MEDIUMIn SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a...
Published: 2019-09-09 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- CWE
- CWE-369
Affected products
| Vendor | Product |
|---|---|
| canonical | active_iq_unified_manager, communications_design_studio, debian_linux |
| debian | active_iq_unified_manager, communications_design_studio, debian_linux |
| fedoraproject | active_iq_unified_manager, communications_design_studio, debian_linux |
| mcafee | active_iq_unified_manager, communications_design_studio, debian_linux |
| netapp | active_iq_unified_manager, communications_design_studio, debian_linux |
| oracle | active_iq_unified_manager, communications_design_studio, debian_linux |
| sqlite | active_iq_unified_manager, communications_design_studio, debian_linux |
| tenable | active_iq_unified_manager, communications_design_studio, debian_linux |
Description
In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2019-16168
- [Other]http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html
- [Other]http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html
- [Other]https://kc.mcafee.com/corporate/index?page=content&id=SB10365
- [Other]https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/
- [Other]https://security.gentoo.org/glsa/202003-16
- [Other]https://security.netapp.com/advisory/ntap-20190926-0003/
- [Other]https://security.netapp.com/advisory/ntap-20200122-0003/
- [Other]https://usn.ubuntu.com/4205-1/
- [Other]https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg116312.html
- [Other]https://www.oracle.com/security-alerts/cpuapr2020.html
- [Other]https://www.oracle.com/security-alerts/cpujan2020.html
- [Vendor advisory]https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
- [Patch]https://www.sqlite.org/src/timeline?c=98357d8c1263920b
- [Other]https://www.tenable.com/security/tns-2021-08
- [Other]https://www.tenable.com/security/tns-2021-11
- [Other]https://www.tenable.com/security/tns-2021-14
- [Other]http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html
- [Other]http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html
- [Other]https://kc.mcafee.com/corporate/index?page=content&id=SB10365
- [Other]https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/
- [Other]https://security.gentoo.org/glsa/202003-16
- [Other]https://security.netapp.com/advisory/ntap-20190926-0003/
- [Other]https://security.netapp.com/advisory/ntap-20200122-0003/
- [Other]https://usn.ubuntu.com/4205-1/
- [Other]https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg116312.html
- [Other]https://www.oracle.com/security-alerts/cpuapr2020.html
- [Other]https://www.oracle.com/security-alerts/cpujan2020.html
- [Vendor advisory]https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
- [Patch]https://www.sqlite.org/src/timeline?c=98357d8c1263920b
- [Other]https://www.tenable.com/security/tns-2021-08
- [Other]https://www.tenable.com/security/tns-2021-11
- [Other]https://www.tenable.com/security/tns-2021-14
Related CVEs
Same vendor
- CVE-2026-35273 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) (9.8 CRITICAL)
- CVE-2026-11824 — SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to ... (7.8 HIGH)
- CVE-2026-11822 — SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause proc... (7.8 HIGH)
- CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
- CVE-2026-46843 — Vulnerability in Oracle REST Data Services (component: Core) (5.3 MEDIUM)
Same CWE
- CVE-2025-55642 — GPAC MP4Box v2.4 was discovered to contain a floating point exception in the avidmx_process function (isomedia/isom_write.c) (6.5 MEDIUM)
- CVE-2025-70100 — A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers... (5.5 MEDIUM)
- CVE-2026-37232 — An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation (8.6 HIGH)
- CVE-2026-10201 — A vulnerability was determined in Assimp up to 6.0.4 (3.3 LOW)
- CVE-2026-46184 — In the Linux kernel, the following vulnerability has been resolved: sound: ua101: fix division by zero at probe Add a missing sanity ch... (5.5 MEDIUM)