VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-10879

CVE-2026-10879

Description

DBI for Perl versions before 1.648 suffer a heap overflow when preparsing SQL with over 9 binders due to insufficient buffer allocation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

DBI for Perl versions before 1.648 suffer a heap overflow when preparsing SQL with over 9 binders due to insufficient buffer allocation.

Vulnerability

DBI versions prior to 1.648 contain a heap overflow vulnerability in the preparse method. This occurs when SQL statements with more than nine placeholder binders are processed. The method expands placeholders like ? into numbered binders such as :p1, :p2, etc. However, the buffer allocation is insufficient for binders numbered 10 and above, which require more characters than the allocated buffer space. This affects DBI versions before 1.648 [1, 2].

Exploitation

An attacker can trigger this vulnerability by providing a specially crafted SQL statement to an application using a vulnerable version of DBI. The statement must contain more than nine placeholder binders. The preparse method will then attempt to expand these placeholders, leading to the heap overflow when the buffer allocation is insufficient for the generated binder names [2].

Impact

Successful exploitation of this heap overflow vulnerability can lead to a crash of the application or potentially allow an attacker to execute arbitrary code. The exact impact depends on the memory corruption that occurs and the context in which the DBI library is used [2].

Mitigation

The vulnerability is fixed in DBI version 1.648, released on 2026-06-04 [1]. Users are advised to upgrade to DBI version 1.648 or later. No workarounds are specified in the available references [1, 2].

References
  1. ChangeLog - metacpan.org
  2. https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457971c0f4136e37c85dc20978.patch

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Perl5 Dbi/Dbireferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <1.648

Patches

1
af79036c07aa

Replacing `?` with `:p#` in `preparse ()` with more than 9 `?` causes buffer overflow

https://github.com/perl5-dbi/dbiH.Merijn Brand - TuxMay 28, 2026via nvd-ref
commit
6 files changed · +10 5
  • ChangeLog+1 0 modified
    @@ -5,6 +5,7 @@
     * Fix possible stack overflow (old issue already noted by Tim)
     * Do not allow table source locations outside explicit given folders
     * DBD::Sponge PRECISION handling (pr#12, pilcrow)
+    * Fix possible buffer overflow in preparse
 
 1.647 - 2025-01-20, H.Merijn Brand
     * Spellcheck
  • DBI.xs+1 1 modified
    @@ -4203,7 +4203,7 @@ preparse(SV *dbh, const char *statement, IV ps_return, IV ps_accept, void *foo)
     }
 
     /* XXX this allocation strategy won't work when we get to more advanced stuff */
-    new_stmt_sv = newSV(strlen(statement) * 3);
+    new_stmt_sv = newSV(strlen(statement) * 6 + 16);
     sv_setpv(new_stmt_sv,"");
     src  = statement;
     dest = SvPVX(new_stmt_sv);
  • dbixs_rev.h+2 2 modified
    @@ -1,4 +1,4 @@
-/* Thu May 28 13:43:39 2026 */
+/* Thu May 28 14:07:26 2026 */
 #define DBIXS_RELEASE  1
 #define DBIXS_VERSION  648
-#define DBIXS_REVISION 1735
+#define DBIXS_REVISION 1737
  • doc/DBI.3+1 1 modified
    @@ -58,7 +58,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DBI 3"
-.TH DBI 3 2026-05-27 "perl v5.42.2" "User Contributed Perl Documentation"
+.TH DBI 3 2026-05-28 "perl v5.42.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
  • doc/DBI.man+1 1 modified
    @@ -6435,4 +6435,4 @@ TODO
        installed_methods
        setup_driver
 
-perl v5.42.2                      2026-05-27                            DBI(3)
+perl v5.42.2                      2026-05-28                            DBI(3)
  • lib/DBI/Changes.pm+4 0 modified
    @@ -40,6 +40,10 @@ Do not allow table source locations outside explicit given folders
 
 DBD::Sponge PRECISION handling (pr#12, pilcrow)
 
+=item *
+
+Fix possible buffer overflow in preparse
+
 =back
 
 =head2 Changes in DBI 1.647 - 20 Jan 2025

Vulnerability mechanics

Root cause

"The preparse method incorrectly allocates buffer space for SQL statement placeholders."

Attack vector

An attacker can trigger this vulnerability by preparing an SQL statement with more than nine binder placeholders. The preparse method expands these placeholders into numbered binders, but the buffer allocation is insufficient for binders requiring more than three characters. This leads to a heap overflow when the number of characters needed for the binder exceeds the allocated space [ref_id=1].

Affected code

The vulnerability lies within the preparse function in `DBI.xs`. The code incorrectly calculates the buffer size needed for expanded SQL placeholders. Specifically, the line `new_stmt_sv = newSV(strlen(statement) * 3);` is updated to `new_stmt_sv = newSV(strlen(statement) * 6 + 16);` to fix the buffer overflow [patch_id=4935415].

What the fix does

The patch modifies the buffer allocation in the preparse function to accommodate longer binder names. Previously, it allocated `strlen(statement) * 3` bytes, which was insufficient for binders like `:p100`. The fix changes this to `strlen(statement) * 6 + 16` to ensure enough space is allocated for all binder lengths, preventing the heap overflow [patch_id=4935415].

Preconditions

  • inputSQL statement with more than 9 binder placeholders.

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.