DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders
Robert Rothenberg 07 Jul 2026 22:07 UTC
========================================================================
CVE-2026-14739 CPAN Security Group
========================================================================
CVE ID: CVE-2026-14739
Distribution: DBI
Versions: before 1.650
MetaCPAN: https://metacpan.org/dist/DBI
VCS Repo: https://github.com/perl5-dbi/dbi
DBI versions before 1.650 for Perl have a heap overflow when preparsing
SQL statements with an extreme number of placeholders
Description
-----------
DBI versions before 1.650 for Perl have a heap overflow when preparsing
SQL statements with an extreme number of placeholders.
The fix for CVE-2026-10879 did not allocate enough memory to handle
approximately 1.2-million placeholders.
DBI version 1.650 sets a hard limit of 99,999 placeholders.
Problem types
-------------
- CWE-787 Out-of-bounds Write
Solutions
---------
Upgrade to DBI version 1.650 or later.
References
----------
https://github.com/perl5-dbi/dbi/commit/2b77c88b655e9539a592c71a61fb965fc0075395.patch
https://www.cve.org/CVERecord?id=CVE-2026-10879
https://metacpan.org/release/HMBRAND/DBI-1.650/changes
Timeline
--------
- 2026-06-04: Version 1.648 released with a fix for CVE-2026-10879.
- 2026-07-07: Version 1.650 released.