Hello! There is allegedly a remote code execution bug in all versions of SQLite prior to 3.26.0: . I think it is safe to graft 3.26.0 in-place: $ abidiff /gnu/store/pba3xzrkq2k4wgh3arif4xpkblr5qz2n-sqlite-3.24.0/lib/libsqlite3.so /gnu/store/r0krlfg010d9zj935gxx0p24pcs0kv9s-sqlite-3.26.0/lib/libsqlite3.so Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info 1 Added function symbol not referenced by debug info: sqlite3_create_window_function ...but I have not tested this. It's difficult to tell which patches to apply without knowing more details of the vulnerability. I am currently building a branch that adds a "static" output for SQLite in order to catch users of libsqlite3.a. Can we start this on Berlin concurrently? Patches attached.