cvedb.io
CVE-2025-64429
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2025-11-12T22:15:49.813 · Last modified 2026-06-17T09:54:22.160

Summary

DuckDB is a SQL database management system. DuckDB implemented block-based encryption of DB on the filesystem starting with DuckDB 1.4.0. There are a few issues related to this implementation. The DuckDB can fall back to an insecure random number generator (pcg32) to generate cryptographic keys or IVs. When clearing keys from memory, the compiler may remove the memset() and leave sensitive data on the heap. By modifying the database header, an attacker could downgrade the encryption mode from GCM to CTR to bypass integrity checks. There may be a failure to check return value on call to OpenSSL `rand_bytes()`. An attacker could use public IVs to compromise the internal state of RNG and determine the randomly generated key used to encrypt temporary files, get access to cryptographic keys if

Affected products

duckdb — duckdb

Does this affect you?

Add your gear to cvedb and we'll alert you only when duckdb ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.