A Google-linked artificial intelligence system called Big Sleep has been credited with discovering a previously unknown vulnerability in SQLite, the lightweight database engine embedded in virtually every smartphone, web browser, and operating system on the planet. The flaw, now cataloged as CVE-2025-6965 in the federal government’s National Vulnerability Database, represents what security researchers are calling a landmark moment: the first documented case of an AI identifying a real, exploitable software flaw through code reasoning rather than brute-force testing.
Secondary reporting has tied the bug to scenarios in which attackers could potentially bypass two-factor authentication protections in Google products. That specific attack path has not been confirmed by Google or the SQLite project as of June 2026, but the underlying vulnerability is real, formally tracked, and sitting in software that handles authentication data for billions of users.
What the official record confirms
The strongest piece of evidence is the CVE entry itself. The National Vulnerability Database, maintained by the National Institute of Standards and Technology, lists CVE-2025-6965 as a cataloged entry associated with an SQLite flaw and links its discovery to Big Sleep. The NVD is the U.S. government’s authoritative clearinghouse for vulnerability data, and its entries carry weight across federal agencies, defense contractors, and regulated industries. Once a CVE appears there, organizations that follow NIST’s compliance frameworks are required to evaluate the flaw against their own systems and either patch it or put compensating controls in place.
Big Sleep is a collaboration between Google’s DeepMind AI division and its Project Zero security team. The project made headlines in November 2024 when Google published a blog post describing how the system had found a different exploitable memory-safety bug in SQLite by analyzing source code, not by feeding random inputs into a program the way traditional fuzzing tools do. That earlier disclosure established Big Sleep’s capability. CVE-2025-6965 appears to extend the track record, suggesting the system’s initial success was not a one-off.
SQLite itself is not some obscure library. It ships inside every Android phone, every iPhone, Chrome, Safari, Firefox, and most embedded systems. Google depends on it across Chrome, Android, and internal infrastructure. Because SQLite routinely processes queries that touch authentication tokens, session data, and credential caches, a flaw in its data-handling logic can expose a staggering number of applications to risk. When the code that manages stored session records contains an exploitable error, an attacker who reaches the database layer could potentially manipulate authentication state without triggering the usual multi-factor checks.
Where the picture gets murkier
Beyond the NVD entry, several critical details remain unconfirmed. No technical writeup from the Big Sleep team has been published for CVE-2025-6965 describing the exact method the AI used, the reproduction steps, or the conditions under which the vulnerability becomes exploitable. The NVD record contains standardized metadata but not the kind of deep-dive analysis that lets other researchers independently verify the finding.
Google and the SQLite project have not issued public advisories confirming that the flaw affects their current shipping codebases or providing a patch timeline. Without that confirmation, gauging the practical severity is difficult. A vulnerability can carry a high theoretical score in the NVD while remaining unexploitable in practice if vendors have already deployed mitigations or changed default configurations.
The two-factor authentication bypass scenario, which has driven much of the public alarm, rests on secondary reporting rather than a published proof-of-concept or vendor acknowledgment. SQLite’s role in storing session tokens and authentication state makes the scenario technically plausible, but plausible and proven are different standards. No primary institutional source in the available evidence explicitly links CVE-2025-6965 to a demonstrated bypass of multi-factor login flows.
The “first AI-discovered vulnerability” framing also deserves scrutiny. AI-assisted fuzzing tools have surfaced bugs for years. Google’s own OSS-Fuzz project has found tens of thousands of them. What reportedly sets Big Sleep apart is that it reasons about code structure and logic rather than blindly mutating inputs. Whether CVE-2025-6965 truly represents a qualitative leap depends on technical details the research team has not yet made public.
What security teams and users should do now
For organizations running infrastructure that depends on SQLite, the immediate steps are practical. Check which version of the library runs in your environment. Monitor the SQLite project’s release notes for a patch addressing CVE-2025-6965. Organizations that follow NIST risk management baselines should review whether their current hardening configurations account for the affected library version. The NVD entry will be updated with refined severity scores and remediation guidance as analysis matures, making it the single most reliable page to watch.
For everyday users, the exposure is indirect but real. You likely interact with SQLite dozens of times a day without knowing it. The most effective protection is keeping your devices and browsers updated. When Google, Apple, or Mozilla push security patches for Chrome, Android, iOS, or Firefox, those updates frequently include newer SQLite builds. Enabling automatic updates remains the simplest defense against vulnerabilities like this one.
How automated vulnerability discovery reshapes the security timeline
Strip away the caveats and one signal comes through clearly: the timeline between a bug’s introduction into code and its discovery is compressing. If AI systems can reliably surface exploitable flaws in foundational libraries before human researchers publish them, defenders gain a powerful advantage, but only if they move faster than adversaries deploying similar tools. The same reasoning capability that lets Big Sleep find a flaw in SQLite could, in theory, be turned loose on any open-source codebase by anyone with sufficient computing resources.
CVE-2025-6965 is a single entry in a database that already contains hundreds of thousands of records. What makes it notable is not the bug alone but the way it was found. The race to discover vulnerabilities in code running on billions of devices is no longer a contest between human teams alone, and this disclosure is the clearest evidence yet that automated discovery has crossed from theoretical capability into documented, repeatable results.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
