Skip to main content

Perl DBI EUVDEUVD-2026-34843

| CVE-2026-10879 CRITICAL
Out-of-bounds Write (CWE-787)
2026-06-05 CPANSec GHSA-c7xw-cj86-m724
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 20:30 vuln.today
Analysis Generated
Jun 08, 2026 - 20:30 vuln.today
CVSS changed
Jun 08, 2026 - 18:22 NVD
9.8 (CRITICAL)
CVE Published
Jun 05, 2026 - 14:30 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders.

The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.

AnalysisAI

Heap buffer overflow in the Perl DBI module versions before 1.648 occurs when the preparse() function processes SQL statements containing 10 or more placeholder binders. The fixed-size buffer allocation (three characters per binder) is insufficient for multi-digit binder names like :p10 through :p99 (four chars) or :p100+ (five chars), enabling memory corruption. EPSS rates exploitation probability at only 0.02% (5th percentile) and no public exploit identified at time of analysis, but the upstream maintainer has shipped a fix expanding the allocation.

Technical ContextAI

DBI (Database Independent Interface) is the foundational database abstraction layer for Perl, used by virtually every Perl application that touches a database (DBD::Pg, DBD::mysql, DBD::Oracle, DBD::SQLite all sit on top of it). The vulnerability lives in DBI.xs preparse(), an XS (C-level) routine that rewrites SQL placeholder syntax. As shown in commit af79036c, the original allocation was newSV(strlen(statement) * 3) - assuming each placeholder character expands into at most three bytes (:pN). However, the Nth binder generates a token of length 3 + floor(log10(N)) characters, so placeholders 10-99 need four bytes, 100-999 need five, and so on. Writing past the SV buffer constitutes a CWE-787 out-of-bounds write on the Perl interpreter heap. The fix reallocates as strlen(statement) * 6 + 16, providing headroom up to roughly 999,999 binders.

RemediationAI

Vendor-released patch: DBI 1.648 - upgrade via cpan DBI, cpanm DBI, or the OS package manager once distribution rebuilds land (Debian libdbi-perl, Red Hat perl-DBI, etc.). The fix is a one-line allocation change in DBI.xs (newSV(strlen(statement) * 6 + 16)) visible at https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457971c0f4136e37c85dc20978.patch with full changelog at https://metacpan.org/release/HMBRAND/DBI-1.648/changes and the oss-security announcement at https://seclists.org/oss-sec/2026/q2/825. If immediate upgrade is impractical, the compensating control is to audit application code for direct callers of DBI->preparse() and ensure the SQL argument is never derived from untrusted input - note this is application-level only; ordinary prepare()/execute() flows are not the affected path. Restricting placeholder counts to under 10 in any preparse() call avoids the overflow but is brittle and not a substitute for the patch.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

EUVD-2026-34843 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy