CVE-2026-10879
Heap Overflow in Perl DBI Library
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| perl | dbi | to 1.648 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Perl DBI module to version 1.648 or later, where the vulnerability has been fixed.
The patch increases memory allocation in the preparse() function to safely handle SQL statements with more than 9 binders, preventing heap overflow.
If upgrading immediately is not possible, avoid using SQL statements with more than 9 binders or question mark placeholders in your applications until the update can be applied.
Can you explain this vulnerability to me?
This vulnerability is a heap overflow in the Perl DBI module versions before 1.648. It occurs when SQL statements with more than 9 binders (placeholders) are preparsed. The preparse method replaces question mark placeholders (?) with numbered binders like :pN, but it only allocates three characters per binder in the buffer. For binders numbered 10 and above, which require more characters (four or more), this causes a buffer overflow.
How can this vulnerability impact me? :
The heap overflow can lead to memory corruption, which may cause the application to crash or behave unpredictably. In some cases, this type of vulnerability can be exploited by attackers to execute arbitrary code or escalate privileges, potentially compromising the security of the system running the vulnerable Perl DBI module.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in Perl DBI versions before 1.648 when SQL statements with more than 9 binders are preparsed, causing a heap overflow. Detection involves identifying usage of vulnerable DBI versions and SQL statements with more than 9 binders.
To detect if your system is vulnerable, first check the installed DBI version with the following command:
- perl -MDBI -e 'print $DBI::VERSION, "\n"'
If the version is before 1.648, your system is potentially vulnerable.
Next, you can search your codebase or logs for SQL statements containing more than 9 binders or question marks (?). For example, use grep to find such statements:
- grep -r -E '\?(.*\?){9,}' /path/to/your/code
This command looks for SQL statements with at least 10 question mark placeholders, which trigger the vulnerability during preparsing.