CVE-2025-71316: SQLite sqldiff remote code execution via argument injection

Published Jun 4, 2026

Updated

SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options. Fixed on or around 2025-12-26.

Affected Software

1 affected component

SQLite sqldiff

Event History

Jun 4, 2026

CVE Published

via MITRE·05:39 PM

Data Sourced

via MITRE·05:39 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·07:16 PM

DescriptionSeverityWeakness

Frequently Asked Questions

What is the severity of CVE-2025-71316?

The severity of CVE-2025-71316 is high, with a score of 7.8.

How do I fix CVE-2025-71316?

To fix CVE-2025-71316, ensure you upgrade to the latest version of SQLite that addresses this vulnerability.

What type of vulnerability is CVE-2025-71316?

CVE-2025-71316 is a remote code execution vulnerability caused by argument injection in SQLite's 'sqldiff.exe'.

Which software is affected by CVE-2025-71316?

CVE-2025-71316 affects the SQLite 'sqldiff' tool.

What can an attacker do with CVE-2025-71316?

An attacker can exploit CVE-2025-71316 to execute arbitrary DLLs through crafted command line arguments.

CVE-2025-71316: SQLite sqldiff remote code execution via argument injection

Affected Software

Event History

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2025-71316?

How do I fix CVE-2025-71316?

What type of vulnerability is CVE-2025-71316?

Which software is affected by CVE-2025-71316?

What can an attacker do with CVE-2025-71316?

Company

Resources

Contact