LiveActive security incident?Get immediate response
CVE Record

CVE-2021-36690: A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTab...

A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This report concerns a crash in SQLite 3.36.0's sqlite3.exe command-line tool when handling crafted SQL. The source bundle notes the SQLite vendor disputes its security relevance because a CLI user can already execute commands. It explicitly does not indicate a problem in the SQLite library used by applications.

Executive priority

Treat as low priority for most environments, with targeted review for systems that run sqlite3.exe on untrusted input. Do not treat this as broad SQLite application exposure based on the provided sources.

Technical view

CVE-2021-36690 describes a segmentation fault in sqlite3.exe through idxGetTableInfo during crafted SQL processing. The stated scope is the command-line component, not the SQLite library. No CVSS, CWE, or concrete affected product metadata is provided, and KEV status is false.

Likely exposure

Exposure is most plausible where automation, support tooling, or user workflows invoke sqlite3.exe against untrusted SQL. Applications that only link the SQLite library are not implicated by the CVE description. Asset impact details are incomplete in the provided sources.

Exploitation context

The bundle provides no evidence of active exploitation and KEV is false. The described effect is a segmentation fault in a local command-line tool. The vendor dispute materially lowers business urgency unless untrusted SQL is processed through sqlite3.exe.

Researcher notes

Key uncertainty is scope: the CVE entry names SQLite 3.36.0 sqlite3.exe, while affected product fields are n/a and the vendor disputes relevance. Downstream Apple and Debian references exist, but the bundle does not provide enough detail to infer additional affected products.

Mitigation direction

  • Inventory systems that invoke sqlite3.exe or sqlite3 CLI against untrusted SQL.
  • Check SQLite, OS, and distribution vendor advisories for fixed command-line tooling packages.
  • Avoid feeding untrusted SQL into sqlite3.exe in automation or support workflows.
  • Prioritize OS package updates where Apple or Debian advisories apply to your fleet.

Validation and detection

  • Confirm whether applications use SQLite library only or invoke sqlite3.exe directly.
  • Review scripts, jobs, and support tools for sqlite3 CLI usage.
  • Check installed SQLite CLI versions against vendor and OS package guidance.
  • Document any user-controlled SQL paths that reach the command-line tool.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-36690 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
7Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.