CVE-2026-14739
Received Received - Intake

Heap Overflow in Perl DBI Library

Vulnerability report for CVE-2026-14739, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: CPANSec

Description

DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders. DBI version 1.650 sets a hard limit of 99,999 placeholders.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects DBI versions before 1.650 for Perl. It is a heap overflow issue that occurs when preparsing SQL statements containing an extremely large number of placeholders.

The previous fix for a related vulnerability (CVE-2026-10879) did not allocate enough memory to handle around 1.2 million placeholders, which could lead to this overflow.

DBI version 1.650 addresses this by setting a hard limit of 99,999 placeholders to prevent the overflow.

Impact Analysis

A heap overflow vulnerability can lead to unpredictable behavior such as application crashes, data corruption, or potentially allow an attacker to execute arbitrary code.

In this case, if an attacker can supply SQL statements with an extremely large number of placeholders, it may trigger the overflow, compromising the stability or security of the application using DBI.

Mitigation Strategies

To mitigate this vulnerability, upgrade DBI to version 1.650 or later, which sets a hard limit of 99,999 placeholders to prevent heap overflow issues.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14739. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart