CVE-2026-60082: DBI versions before 1.651 for Perl do not enforce statement handle consistency with the row
Robert Rothenberg 14 Jul 2026 15:36 UTC
========================================================================
CVE-2026-60082 CPAN Security Group
========================================================================
CVE ID: CVE-2026-60082
Distribution: DBI
Versions: before 1.651
MetaCPAN: https://metacpan.org/dist/DBI
VCS Repo: https://github.com/perl5-dbi/dbi
DBI versions before 1.651 for Perl do not enforce statement handle
consistency with the row
Description
-----------
DBI versions before 1.651 for Perl do not enforce statement handle
consistency with the row.
When the statement handle had no fields but the source row was
non-empty, the internal row-buffer helper would read from a negative
array index.
This could be triggered by a caller supplying inconsistent metadata and
rows to the prepare method.
Problem types
-------------
- CWE-125 Out-of-bounds Read
Solutions
---------
Upgrade to version 1.651 or later.
References
----------
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-rwhc-hhmv-cjvg
https://metacpan.org/release/HMBRAND/DBI-1.651/changes
https://github.com/perl5-dbi/dbi/commit/397868704291bbf0989b97e2c0661189890653e2.patch