CVE-2026-14740
Received Received - Intake

Out-of-Bounds Read in Perl DBI Library

Vulnerability report for CVE-2026-14740, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-08

Assigner: CPANSec

Description

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
perl dbi to 1.650 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in DBI versions before 1.650 for Perl. It involves the preparse method, which normalises SQL and removes comments. When the SQL starts with a comment line, deleting that initial comment line during normalisation causes the program to read one byte out-of-bounds.

This out-of-bounds read can cause faults in memory-hardened builds and can lead to unpredictable newline retention behavior in normal builds.

Impact Analysis

The impact of this vulnerability includes potential faults or crashes in memory-hardened environments due to the out-of-bounds read. In normal builds, it may cause inconsistent handling of newlines in SQL processing, which could affect the correctness of SQL normalization and comment removal.

Compliance Impact

There is no information provided in the available context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability occurs during the processing of SQL statements that start with a comment line in the Perl DBI module's preparse function. Detection involves identifying SQL inputs where the first token is a deletable line comment such as "-- x\n" or "# x\n" passed to DBI's preparse method.

Since the issue is an out-of-bounds read triggered by specific SQL input, you can detect attempts by monitoring logs or network traffic for SQL statements beginning with such comments.

There are no specific commands provided in the resources to detect this vulnerability directly on a system or network.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Perl DBI module to version 1.650 or later, where the issue has been fixed.

Alternatively, as an immediate workaround, remove initial comments from SQL statements before passing them to the DBI preparse method.

Applying the patch that guards the out-of-bounds read in the preparse function is also a mitigation step if upgrading is not immediately possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart