CVE-2026-10879: DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders

CVE-2026-10879: DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders Robert Rothenberg 05 Jun 2026 14:34 UTC

========================================================================
CVE-2026-10879                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-10879
   Distribution:  DBI
       Versions:  before 1.648

       MetaCPAN:  https://metacpan.org/dist/DBI
       VCS Repo:  https://github.com/perl5-dbi/dbi

DBI versions before 1.648 for Perl have a heap overflow when preparsing
SQL statements with more than 9 binders

Description
-----------
DBI versions before 1.648 for Perl have a heap overflow when preparsing
SQL statements with more than 9 binders.

The preparse method expands SQL placeholder characters to numbered
binders of the form :pN, but only allocates three characters per binder
in the buffer.    Placeholders 10-99 require four characters, 100-999
require five characters, et cetera.

Problem types
-------------
- CWE-787 (Out-of-bounds Write)

Solutions
---------
Upgrade to DBI 1.648 or later.

References
----------
https://metacpan.org/release/HMBRAND/DBI-1.648/changes
https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457971c0f4136e37c85dc20978.patch

Timeline
--------
- 2026-04-25: Issue reported to CPANSec.
- 2026-05-28: Commit fixed the issue in DBI.
- 2026-06-04: DBI 1.648 released.