Google’s Project Zero team has announced the discovery of an unpatched vulnerability in the popular SQLite database engine. The vulnerability was found by the team’s “Big Sleep” AI agent, which was tasked with analyzing recent changes to the SQLite codebase for potential security issues.
The discovered vulnerability is a stack buffer underflow bug that could potentially allow attackers to execute arbitrary code on systems running vulnerable versions of SQLite. What makes this discovery particularly notable is that the issue was found before it had been publicly disclosed or exploited in the wild.
“We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software,” the Big Sleep team wrote in a blog post announcing the findings.
The team said the vulnerability was reported to the SQLite developers in early October, and a fix was released on the same day. This means SQLite users were never exposed to potential attacks leveraging the flaw.
Interestingly, the researchers found that the existing testing infrastructure for SQLite, including its own internal tests and the OSS-Fuzz project, did not uncover the issue. This highlights the potential for AI-based approaches to complement traditional vulnerability discovery methods and find flaws that evade other testing techniques.
While the Big Sleep team cautioned that their work is still in the research stage, they expressed optimism about the defensive potential of using large language models for variant analysis and vulnerability research. “Finding vulnerabilities in software before it’s even released, means that there’s no scope for attackers to compete: the vulnerabilities are fixed before attackers even have a chance to use them” they wrote.
The successful discovery of this vulnerability is a significant milestone for the field of AI-assisted security research. As companies and researchers continue to push the boundaries of what language models can accomplish, tools like Big Sleep could play an increasingly important role in helping defenders stay ahead of malicious actors.
About the author:
