The flaw arises because DBI versions before 1.648 write error messages, including those generated by RaiseError, PrintError, or HandleError, into a fixed 200‑byte buffer without checking the length of the message. If an attacker can influence the content of an error message, the overflow can corrupt adjacent memory, potentially allowing the attacker to execute arbitrary code. The vulnerability is a classic buffer‑overflow weakness (CWE‑787). The product’s documentation indicates that any application leveraging DBI that can accept attacker‑controlled input could be vulnerable. The presence of this overflow means that compromised privilege boundaries could be broken and the system or process may be taken over.

All installations of the Perl DBI library older than version 1.648 are affected. This includes every project or application that bundles an earlier DBI release, regardless of distribution or operating system. The specific vendor listed is HMBRAND, with the library name DBI.

Because the attack vector requires an attacker capable of injecting or controlling error‑message text, exploitation is limited to contexts where the application accepts user input that can appear in error strings. The CVSS score is 7.5, indicating high severity, and the EPSS score is <1%, indicating a very low exploitation probability. The vulnerability is listed as not in the CISA KEV catalog. The potential impact of an exploit, however, remains high, as overriding a critical buffer could lead to remote code execution or a denial‑of‑service condition if the process crashes.