We’re pleased to announce the immediate availability of SQLCipher 4.17.0. This is intended primarily as a maintenance release focused on dependency updates, cleanup, and bug fixes, along with a few minor improvements. However, it also updates the SQLite baseline to incorporate fixes for upstream CVEs that affected earlier versions.
SQLITE_NOTADB, even when the first operation modifies the schemaSQLCIPHER_OMIT_MALLOC build macro to aid analysis under Address SanitizerSQLCipher Commercial and Enterprise packages include the following changes:
The new SQLite 3.53.3 baseline fixes two memory corruption issues in the FTS5 full-text search extension, CVE-2026-11822 and CVE-2026-11824. These can be triggered by a FTS5 query running against a database that contains specially attacker-crafted data. They also require the application to have disabled defensive mode (SQLITE_DBCONFIG_DEFENSIVE). Further details are available on the SQLite CVE list.
For SQLCipher users, the practical risk of these CVEs is low. Because SQLCipher databases are encrypted, an attacker can’t construct malicious database contents needed to trigger these issues without knowing the database key. Therefore, applications that maintain strong key controls and work with their own encrypted databases (i.e. not ones supplied by third parties) have very little exposure. However, we still recommend upgrading to address these fixes, especially for applications that could possibly open databases from untrusted sources.
The table below summarizes the cryptographic providers used across SQLCipher packages and platforms:
| Edition | Platform | Cryptographic Provider |
|---|---|---|
| Community (non-FIPS) | Android | based on LibTomCrypt 1.18.2 |
| Community (non-FIPS) | Apple | Common Crypto (version varies by OS) |
| Commercial & Enterprise (non-FIPS) | Apple | Common Crypto (version varies by OS) |
| Commercial & Enterprise (non-FIPS) | Other Platforms | OpenSSL 3.5.7 LTS |
| Enterprise FIPS | All Platforms | SQLCipher Cryptographic Module Based on OpenSSL 3.5.7 LTS |
SQLCipher 4.17.0 is available for download now, and we recommend upgrading to incorporate these improvements. As always, test your applications thoroughly with the new version before deploying to production.
Commercial and Enterprise - On-demand access to new releases of SQLCipher packages are available to all licensees with an active subscription from the Customer Downloads fulfillment site. Subscribers will also receive a separate email notification regarding the update and can contact us at any time for private support directly from the SQLCipher development team. Commercial and Enterprise edition upgrades require a new license code from the SQLCipher fulfillment site for each version. Don’t forget to change the license code in your application(s) when you upgrade.
Community Edition - SQLCipher Community Edition source code is available on GitHub, via AAR packaging for Android, and Swift Package Manager for Apple platforms.
For feedback and questions, please visit our Community Forum or private support channels. Thank you for using SQLCipher!