CVE-2026-10879 - Vulnerability Details

- DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders

Description

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders.

The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.

Published: 2026-06-05

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw manifests during the preparsing of SQL statements when the DBI module expands placeholder characters into numbered binders. The module allocates only three characters per binder, which is insufficient for binders numbered 10 and higher. The resulting buffer overrun allows an attacker to overwrite non‑allocated heap space, potentially corrupting control data and enabling arbitrary code execution or denial of service.

Affected Systems

All installations of Perl DBI older than version 1.648 are vulnerable. The issue affects every instance where the preparse method processes an SQL statement that includes more than nine binders. No additional vendor-specific variants are listed beyond the base DBI package.

Risk and Exploitability

The flaw is a classic buffer overflow (CWE‑787). Exploitation requires that an attacker can supply a statement with more than nine binders to the preparse routine, which is likely possible in applications that accept user input. The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, so there is no public evidence of exploitation yet. The CVSS score of 9.8 indicates a high severity, and the heap overwrite suggests potential impact is high, warranting prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

HMBRAND

DBI

unaffected

Version	Status	Constraints
`0`	affected	< 1.648

Configuration 1 [-]

cpe:2.3:a:perl:dbi:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Hmbrand

Dbi

100%

Version	Status	Scheme	Platform
`[0,1.648)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to DBI 1.648 or later.

OpenCVE Recommended Actions

Upgrade the DBI module to version 1.648 or later
Refactor application code so that any prepared statement contains nine or fewer binders
Audit existing preparse calls to ensure no statement passes more than nine binders to the DBI engine

Generated by OpenCVE AI on June 8, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6338-1	libdbi-perl security update
Ubuntu USN	USN-8466-1	Perl DBI module vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00413.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/06/06/4
https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457971c0f4136e37c85dc20978.patch
https://metacpan.org/release/HMBRAND/DBI-1.648/changes

History

Wed, 10 Jun 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Perl Perl dbi
CPEs		cpe:2.3:a:perl:dbi::::::::
Vendors & Products		Perl Perl dbi

Mon, 08 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sun, 07 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hmbrand Hmbrand dbi
Vendors & Products		Hmbrand Hmbrand dbi

Sat, 06 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/06/06/4

Fri, 05 Jun 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.
Title		DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders
Weaknesses		CWE-787
References		https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457971c0f4136e37c85dc20978.patch https://metacpan.org/release/HMBRAND/DBI-1.648/changes

Subscriptions

Hmbrand Dbi

Perl Dbi

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-06-05T14:30:58.497Z

Updated: 2026-06-08T16:55:27.339Z

Reserved: 2026-06-04T16:34:48.978Z

Link: CVE-2026-10879

Vulnrichment

Updated: 2026-06-06T05:18:05.204Z

NVD

Status : Analyzed

Published: 2026-06-05T15:16:46.817

Modified: 2026-06-10T15:02:24.007

Link: CVE-2026-10879

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T18:30:16Z

Weaknesses

CWE-787
Out-of-bounds Write

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object