CVE-2015-3416

The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.

Published: 2015-04-24 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2015-3416 is rated Moderate Risk (60.8/100): CVSS High severity, with high exploitation likelihood (EPSS 5.53%, 92th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2015-3416

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 6.90% 5.53% -1.37%
2 2026-06-11 7.72% 6.90% -0.81%
3 2026-05-29 7.72%

Full EPSS history (21 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2015-3416

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
10.0 6.4 [email protected]

Weakness enumeration for CVE-2015-3416

OS Trackers for CVE-2015-3416

vendor priority summary link
debian not yet assigned CVE-2015-3416 not yet assigned priority: Debian including 1 source packages (sqlite3), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2015-3416
gentoo normal CVE-2015-3416: 1 GLSA(s) (201507-05), 1 atom(s) (dev-db/sqlite); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2015-3416
redhat medium https://access.redhat.com/security/cve/CVE-2015-3416
suse medium CVE-2015-3416 severity moderate: SUSE including 649 source package names (apache2-mod_php5, apache2-mod_php5-5.6.28-1.1, …), 1219 product×package rows across 94 product lines (SLES for SAP Applications 11 SP2, SLES for SAP Applications 11 SP3, … (94 product lines)): Known Not Affected 828, Fixed 391. https://www.suse.com/security/cve/CVE-2015-3416/
ubuntu low CVE-2015-3416 low priority: Ubuntu including 2 source packages (sqlite, sqlite3), 54 status rows across 27 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lucid, lunar, mantic, noble, oracular, plucky, precise, questing, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): not-affected 21, ignored 17, DNE 6, needed 5, released 5. https://ubuntu.com/security/CVE-2015-3416

Affected software / configurations for CVE-2015-3416

Vendor Product Version Raw CPE
canonical ubuntu_linux 12.04 cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 14.04 cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 15.04 cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
sqlite sqlite <= 3.8.8.3 cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*
debian debian_linux 8.0 cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
apple mac_os_x <= 10.6.8 cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
apple watchos <= 1.0.1 cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
php php >= 5.4.0, < 5.4.42 cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
php php >= 5.5.0, < 5.5.26 cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
php php >= 5.6.0, < 5.6.10 cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

References for CVE-2015-3416

URL Tags
http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.html Mailing List Third Party Advisory
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html Mailing List Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1634.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1635.html Third Party Advisory
http://seclists.org/fulldisclosure/2015/Apr/31 Mailing List Third Party Advisory VDB Entry
http://www.debian.org/security/2015/dsa-3252 Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2015:217 Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Patch Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html Third Party Advisory
http://www.securityfocus.com/bid/74228 Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1033703 Third Party Advisory VDB Entry
http://www.sqlite.org/src/info/c494171f77dc2e5e04cb6d865e688448f04e5920 Vendor Advisory
http://www.ubuntu.com/usn/USN-2698-1 Third Party Advisory
https://security.gentoo.org/glsa/201507-05 Third Party Advisory
https://support.apple.com/HT205213 Third Party Advisory
https://support.apple.com/HT205267 Third Party Advisory
cvelogic Threat Intelligence