CVE Catalog

CVE-2026-10879

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.05%

17th percentile — higher than 17% of all known CVEs

Summary

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders but only allocates three characters per binder in the buffer.

Risk Assessment

Heap overflow can lead to unauthorized memory access, posing a risk of executing malicious code. Organizations may be vulnerable to attacks that could result in data loss or system takeover.

Recommendation

It is recommended to upgrade to DBI version 1.648 or later to mitigate this vulnerability. Additionally, an audit of applications using DBI should be conducted to identify potential threats.

Original NVD description (English source)

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS