DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders Robert Rothenberg 07 Jul 2026 22:07 UTC

========================================================================
CVE-2026-14739                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-14739
   Distribution:  DBI
       Versions:  before 1.650

       MetaCPAN:  https://metacpan.org/dist/DBI
       VCS Repo:  https://github.com/perl5-dbi/dbi

DBI versions before 1.650 for Perl have a heap overflow when preparsing
SQL statements with an extreme number of placeholders

Description
-----------
DBI versions before 1.650 for Perl have a heap overflow when preparsing
SQL statements with an extreme number of placeholders.

The fix for CVE-2026-10879 did not allocate enough memory to handle
approximately 1.2-million placeholders.

DBI version 1.650 sets a hard limit of 99,999 placeholders.

Problem types
-------------
- CWE-787 Out-of-bounds Write

Solutions
---------
Upgrade to DBI version 1.650 or later.

References
----------
https://github.com/perl5-dbi/dbi/commit/2b77c88b655e9539a592c71a61fb965fc0075395.patch
https://www.cve.org/CVERecord?id=CVE-2026-10879
https://metacpan.org/release/HMBRAND/DBI-1.650/changes

Timeline
--------
- 2026-06-04: Version 1.648 released with a fix for CVE-2026-10879.
- 2026-07-07: Version 1.650 released.