Description
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders.

The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.
Published: 2026-06-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw manifests during the preparsing of SQL statements when the DBI module expands placeholder characters into numbered binders. The module allocates only three characters per binder, which is insufficient for binders numbered 10 and higher. The resulting buffer overrun allows an attacker to overwrite non‑allocated heap space, potentially corrupting control data and enabling arbitrary code execution or denial of service.

Affected Systems

All installations of Perl DBI older than version 1.648 are vulnerable. The issue affects every instance where the preparse method processes an SQL statement that includes more than nine binders. No additional vendor-specific variants are listed beyond the base DBI package.

Risk and Exploitability

The flaw is a classic buffer overflow (CWE‑787). Exploitation requires that an attacker can supply a statement with more than nine binders to the preparse routine, which is likely possible in applications that accept user input. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so there is no public evidence of exploitation yet. However, the nature of the heap overwrite suggests the potential impact is high, and the lack of a defined CVSS score in the record calls for cautious assessment and prompt remediation.

Generated by OpenCVE AI on June 5, 2026 at 15:20 UTC.

Remediation

Vendor Solution

Upgrade to DBI 1.648 or later.

OpenCVE Recommended Actions

  • Upgrade the DBI module to version 1.648 or later
  • Refactor application code so that any prepared statement contains nine or fewer binders
  • Audit existing preparse calls to ensure no statement passes more than nine binders to the DBI engine

Generated by OpenCVE AI on June 5, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.
Title DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders
Weaknesses CWE-787
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-05T14:30:58.497Z

Reserved: 2026-06-04T16:34:48.978Z

Link: CVE-2026-10879

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T15:16:46.817

Modified: 2026-06-05T15:56:37.130

Link: CVE-2026-10879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T15:30:13Z

Weaknesses