Skip to main content

Perl DBI CVE-2026-14739

| EUVDEUVD-2026-42124 CRITICAL
Out-of-bounds Write (CWE-787)
2026-07-07 CPANSec GHSA-w9gf-c5hh-cc8w
Critical
Disputed · 9.8 Vendor: CPANSec
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (CPANSec) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

AC:H because triggering needs an app-mediated statement with ~1.2M placeholders (extreme, non-default input); a crash is the reliable impact while code execution is unproven, so C:L/I:L with A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
8.1 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 08, 2026 - 14:23 vuln.today
CVSS changed
Jul 08, 2026 - 14:22 NVD
9.8 (CRITICAL)
CVE Published
Jul 07, 2026 - 22:05 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders.

The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders.

DBI version 1.650 sets a hard limit of 99,999 placeholders.

AnalysisAI

Heap out-of-bounds write in the Perl DBI database-interface module before version 1.650 occurs when DBI preparses a SQL statement containing an extreme number of placeholders. This is a regression: the fix for CVE-2026-10879 under-allocated the placeholder buffer and could not accommodate roughly 1.2 million placeholders, so DBI 1.650 now enforces a hard cap of 99,999 placeholders. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint building SQL from input
Delivery
Submit oversized input list
Exploit
Generate ~1.2M placeholders in statement
Execution
DBI preparser overflows heap allocation
Persist
Corrupt adjacent heap memory
Impact
Crash process (DoS) or possible code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires that the vulnerable DBI preparser receive a single SQL statement containing an extreme number of bind placeholders - on the order of the ~1.2 million that defeated the CVE-2026-10879 fix. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are conflicting and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application builds a SQL statement whose placeholder count scales with attacker-influenced input - for example an IN-clause or bulk insert generated from an unbounded list - and passes it to DBI->prepare. By supplying an input list large enough to produce roughly a million-plus placeholders, an attacker forces the preparser to overflow its heap allocation, corrupting memory and most reliably crashing the process (denial of service); code execution is theoretically possible but unproven. …
Remediation Upgrade to Vendor-released patch: DBI 1.650, which sets a hard limit of 99,999 placeholders and correctly sizes the allocation; install it from CPAN (for example cpanm DBI@1.650) or apply the upstream commit https://github.com/perl5-dbi/dbi/commit/2b77c88b655e9539a592c71a61fb965fc0075395.patch, and review the change log at https://metacpan.org/release/HMBRAND/DBI-1.650/changes. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications using Perl DBI versions prior to 1.650 via dependency scanning and software inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected

Share

CVE-2026-14739 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy