CVE-2026-14740: DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment Robert Rothenberg 07 Jul 2026 22:08 UTC

========================================================================
CVE-2026-14740                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-14740
   Distribution:  DBI
       Versions:  before 1.650

       MetaCPAN:  https://metacpan.org/dist/DBI
       VCS Repo:  https://github.com/perl5-dbi/dbi

DBI versions before 1.650 for Perl read one byte out-of-bounds in
preparse when deleting an initial SQL comment

Description
-----------
DBI versions before 1.650 for Perl read one byte out-of-bounds in
preparse when deleting an initial SQL comment.

The preparse method normalises SQL and removes comments. When the SQL
starts with a comment line, the deletion of that line during
normalisation led to an out-of-bounds read by one byte. The result is a
fault on memory-hardened builds and nondeterministic newline retention
on normal builds.

Problem types
-------------
- CWE-125 Out-of-bounds Read

Workarounds
-----------
Remove initial comments from SQL statements before passing them to DBI.

Solutions
---------
Upgrade to DBI version 1.650 or later.

References
----------
https://github.com/perl5-dbi/dbi/commit/fc16f9e8b3dd5c65caf1867781ab2bfe2fadcc01.patch
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-35f4-f8m9-w8xg
https://metacpan.org/release/HMBRAND/DBI-1.650/changes