oss-sec mailing list archives

CVE-2026-10879: DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders

From: Robert Rothenberg <rrwo () cpansec org>
Date: Fri, 5 Jun 2026 15:34:02 +0100

========================================================================
CVE-2026-10879                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-10879
  Distribution:  DBI
      Versions:  before 1.648

      MetaCPAN:  https://metacpan.org/dist/DBI
      VCS Repo:  https://github.com/perl5-dbi/dbi


DBI versions before 1.648 for Perl have a heap overflow when preparsing
SQL statements with more than 9 binders

Description
-----------
DBI versions before 1.648 for Perl have a heap overflow when preparsing
SQL statements with more than 9 binders.

The preparse method expands SQL placeholder characters to numbered
binders of the form :pN, but only allocates three characters per binder
in the buffer.    Placeholders 10-99 require four characters, 100-999
require five characters, et cetera.

Problem types
-------------
- CWE-787 (Out-of-bounds Write)

Solutions
---------
Upgrade to DBI 1.648 or later.


References
----------
https://metacpan.org/release/HMBRAND/DBI-1.648/changes
https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457971c0f4136e37c85dc20978.patch

Timeline
--------
- 2026-04-25: Issue reported to CPANSec.
- 2026-05-28: Commit fixed the issue in DBI.
- 2026-06-04: DBI 1.648 released.

Current thread:

CVE-2026-10879: DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders Robert Rothenberg (Jun 05)