I've been working on a draft web-page about CVEs and SQLite. It includes a [table of recent CVEs][1]. [1]: https://www.sqlite.org/draft/cves.html#cvetab But it occurs to me that I am perhaps giving this CVEs more weight than they deserve. All of these CVEs can be safely ignored. Follow my logic: 1. All of the CVEs have a precondition that the attacker must be able to inject and run arbitrary SQL. 2. The worst outcome is denial-of-service. 3. But if an attacker has the ability to inject and run arbitrary SQL, they don't need any bugs in SQLite in order to execute a denial of service attack. All they have to do is puts in some SQL that uses a lot of CPU or memory or disk I/O and they can effectively shut the service down that way. It isn't hard to devise a small bit of perfectly valid and legal SQL that uses an enormous amount of CPU or memory. 4. Hence, none of the CVEs in the chart are "real". They are bugs (now fixed), but none of them give an attacker any more leverage for disrupting the system than the attacker had to begin with. Am I completely off-base with this argument?