CVE-2026-10879
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders but only allocates three characters per binder in the buffer.
Risk Assessment
Heap overflow can lead to unauthorized memory access, posing a risk of executing malicious code. Organizations may be vulnerable to attacks that could result in data loss or system takeover.
Recommendation
It is recommended to upgrade to DBI version 1.648 or later to mitigate this vulnerability. Additionally, an audit of applications using DBI should be conducted to identify potential threats.
Original NVD description (English source)
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.

