SQLite is broadly used in most mobile and desktop operating systems, browsers and other software, meaning the code execution flaw has a broad scope
Tencent‘s Blade security team said it has discovered a flaw in the SQLite database management system that could allow hackers to attack a wide range of software and devices, including browsers and devices based on Chromium.
“SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence,” Tencent said in an advisory.
“If you use a device or software that uses SQLite or Chromium, it will be affected.”
The bug, which Tencent researchers call “Magellan”, could allow hackers to execute malicious code on an affected system, and can be triggered when, for instance, the system visits a specially crafted web page, Tencent said.
Google’s Chromium is an open source project that forms the basis for the widely used Chrome browser, as well as a number of others.
Chromium is also used in Google Home smart speakers, and Tencent’s researchers said they had demonstrated the flaw on the devices.
Tencent said it would not disclose details of the bug or the exploit code it used for the time being, but was urging the vendors affected to issue patches.
Google confirmed the issue in Chromium and patched it in version 71.0.3578.80, while SQLite issued the fix in version 3.26.0.
However, third-party software and devices based on vulnerable software often take much longer to receive patches.
Aside from Chromium and Chrome, the Opera, Safari and Android Browser browsers all use SQLite.
The database is also widely used in middleware, in web application frameworks, in software such as Skype and Evernote, in operating systems including macOS, iOS, Android, Windows 10 and Tizen, and even in BMW’s iDrive satellite navigation system.
Tencent said it hasn’t yet seen any signs that Magellan is being actively exploited.