CVE-2026-9698
Received Received - Intake
Buffer Overflow in Perl DBI Module Due to Unbounded Error Messages

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: CPANSec

Description
DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an application can trigger a buffer overflow.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-9698
EUVD
EUVD-2026-35366
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
perl dbi to 1.648 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in DBI versions before 1.648 for Perl, where error messages were saved in a fixed-size 200-byte buffer without any length limit.

When error handling options like RaiseError, PrintError, or HandleError were enabled, the error messages were written into this limited buffer.

If an attacker can influence the content of these error messages, they can cause a buffer overflow by exceeding the 200-byte limit.

The underlying cause was unsafe use of sprintf to format strings into a fixed-size stack buffer, which was later fixed by replacing it with dynamic memory allocation on the heap.

Detection Guidance

This vulnerability involves a buffer overflow in the Perl DBI module versions before 1.648 when error messages are written to a fixed-size buffer. Detection would involve identifying if your system is running a vulnerable version of the Perl DBI module.

You can check the installed version of the DBI module in Perl by running the following command in your terminal or command prompt:

  • perl -MDBI -e 'print $DBI::VERSION, "\n"'

If the version is earlier than 1.648, your system is potentially vulnerable.

Additionally, monitoring application logs for unusual or malformed error messages that could indicate attempts to exploit the buffer overflow might help in detection, but no specific commands for this are provided.

Mitigation Strategies

The primary mitigation step is to upgrade the Perl DBI module to version 1.648 or later, where the vulnerability has been fixed by replacing unsafe fixed-size buffer usage with dynamic memory allocation.

If upgrading immediately is not possible, consider reviewing and restricting input that can influence error messages to prevent attackers from triggering the buffer overflow.

Applying the patch referenced in Resource 1, which fixes the unsafe sprintf usage in the XS_DBI_dispatch function, is also a direct mitigation.

Impact Analysis

This vulnerability can lead to a buffer overflow, which may allow attackers to execute arbitrary code or cause a denial of service in applications using the affected Perl DBI versions.

If an attacker can control the error message content, they can exploit this to potentially compromise the security and stability of the application.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart