Skip to main content

Perl DBI CVE-2026-9698

| EUVDEUVD-2026-35366 CRITICAL
Out-of-bounds Write (CWE-787)
2026-06-09 CPANSec GHSA-83j7-3c78-fq8j
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.2 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 09, 2026 - 17:22 vuln.today
Analysis Generated
Jun 09, 2026 - 17:22 vuln.today
CVSS changed
Jun 09, 2026 - 17:22 NVD
9.8 (CRITICAL)
CVE Published
Jun 09, 2026 - 07:22 nvd
UNKNOWN (no severity yet)

DescriptionNVD

DBI versions before 1.648 for Perl saved errors in a limited-sized buffer.

Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit.

Attackers that can influence the error text in an application can trigger a buffer overflow.

AnalysisAI

Stack-based buffer overflow in Perl DBI module versions prior to 1.648 allows attackers who can influence database error message content to corrupt memory via a fixed 200-byte stack buffer used during error formatting. The flaw is triggered when applications enable RaiseError, PrintError, or HandleError handlers - a near-universal configuration in production Perl database code. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02% despite the CVSS 9.8 rating.

Technical ContextAI

DBI (Database Independent Interface) is the foundational database abstraction layer used by virtually all Perl applications that interact with databases (DBD::mysql, DBD::Pg, DBD::SQLite, DBD::Oracle, etc.). The root cause is CWE-787 (Out-of-bounds Write): in DBI.xs the XS_DBI_dispatch function declared a fixed 200-byte stack buffer (char intro[200]) and used unbounded sprintf to format an error message header containing the implementor class name, method name, and status text. Because the implementor stash name (HvNAME) and method name are concatenated without a length check, a sufficiently long identifier or error-context string overflows the stack frame. The fix replaces the stack buffer with newSVpvf, which allocates a properly sized Perl SV on the heap.

RemediationAI

Vendor-released patch: DBI 1.648 (released 2025-05-27 by H.Merijn Brand). Upgrade via CPAN with cpan DBI or cpanm DBI@1.648, or install the distribution-packaged version once your OS vendor backports the fix; the upstream commit is at https://github.com/perl5-dbi/dbi/commit/bfe5d73c162d2d1f761a639a0aa33aad6a9eb54e and the oss-security advisory at https://seclists.org/oss-sec/2026/q2/855. As compensating controls until upgrade, audit application error handlers to ensure database error strings derived from user input are not reflected back through DBI's RaiseError/PrintError/HandleError paths, and consider replacing RaiseError with a custom HandleError callback that sanitizes or truncates inputs before DBI's internal formatter runs - the trade-off is loss of DBI's standard error prefix formatting and potentially altered exception messages for application monitoring.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected

Share

CVE-2026-9698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy