CVE-2026-10879
Analyzed Analyzed - Analysis Complete
Heap Overflow in Perl DBI Library

Publication date: 2026-06-05

Last updated on: 2026-06-10

Assigner: CPANSec

Description
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-10
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-10879
EUVD
EUVD-2026-34843
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
perl dbi to 1.648 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade the Perl DBI module to version 1.648 or later, where the vulnerability has been fixed.

The patch increases memory allocation in the preparse() function to safely handle SQL statements with more than 9 binders, preventing heap overflow.

If upgrading immediately is not possible, avoid using SQL statements with more than 9 binders or question mark placeholders in your applications until the update can be applied.

Executive Summary

This vulnerability is a heap overflow in the Perl DBI module versions before 1.648. It occurs when SQL statements with more than 9 binders (placeholders) are preparsed. The preparse method replaces question mark placeholders (?) with numbered binders like :pN, but it only allocates three characters per binder in the buffer. For binders numbered 10 and above, which require more characters (four or more), this causes a buffer overflow.

Impact Analysis

The heap overflow can lead to memory corruption, which may cause the application to crash or behave unpredictably. In some cases, this type of vulnerability can be exploited by attackers to execute arbitrary code or escalate privileges, potentially compromising the security of the system running the vulnerable Perl DBI module.

Detection Guidance

This vulnerability occurs in Perl DBI versions before 1.648 when SQL statements with more than 9 binders are preparsed, causing a heap overflow. Detection involves identifying usage of vulnerable DBI versions and SQL statements with more than 9 binders.

To detect if your system is vulnerable, first check the installed DBI version with the following command:

  • perl -MDBI -e 'print $DBI::VERSION, "\n"'

If the version is before 1.648, your system is potentially vulnerable.

Next, you can search your codebase or logs for SQL statements containing more than 9 binders or question marks (?). For example, use grep to find such statements:

  • grep -r -E '\?(.*\?){9,}' /path/to/your/code

This command looks for SQL statements with at least 10 question mark placeholders, which trigger the vulnerability during preparsing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10879. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart