Unrated severityNVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2026-9698

Description

DBI for Perl versions prior to 1.648 are vulnerable to a buffer overflow when error messages exceed a 200-byte limit, potentially allowing attackers to influence error text.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

DBI for Perl versions prior to 1.648 are vulnerable to a buffer overflow when error messages exceed a 200-byte limit, potentially allowing attackers to influence error text.

Vulnerability

DBI versions before 1.648 for Perl contain a vulnerability where error messages are written to a fixed-size 200-byte buffer without proper length checking. This can occur when RaiseError, PrintError, or HandleError are set, and the error message exceeds the buffer's capacity.

Exploitation

An attacker who can influence the error text generated by an application using a vulnerable version of DBI can trigger this buffer overflow. This requires the application to be configured to use error handling mechanisms that write to the limited buffer.

Impact

Successful exploitation of this buffer overflow could lead to a denial-of-service condition or potentially allow for arbitrary code execution, depending on the specific conditions and the attacker's ability to control the overflowed data.

Mitigation

DBI version 1.648, released on 2026-06-04 [1], addresses this vulnerability. Users are advised to upgrade to DBI version 1.648 or later. No workarounds are specified in the available references [3].

References

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Perl Foundation/Dbireferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <1.648

Patches

bfe5d73c162d

Fix possible stack overflow (old issue already noted by Tim)

https://github.com/perl5-dbi/dbiH.Merijn Brand - TuxMay 27, 2026via body-scan

commit

5 files changed · +12 −9

ChangeLog+2 −1 modified

@@ -1,7 +1,8 @@
-1.648 - 2025-03-14, H.Merijn Brand
+1.648 - 2025-05-27, H.Merijn Brand
     * Correct sprintf usage for trace_msg (issue#132)
     * Add DBIXS_VERSION & DBIXS_RELEASE to dbixs_rev.h
     * Remove -Wbad-function-cast
+    * Fix possible stack overflow (old issue already noted by Tim)
 
 1.647 - 2025-01-20, H.Merijn Brand
     * Spellcheck

DBI.xs+2 −5 modified

@@ -4000,18 +4000,15 @@ XS(XS_DBI_dispatch)
         SV **statement_svp = NULL;
         const int is_warning = (!SvTRUE(err_sv) && strlen(SvPV_nolen(err_sv))==1);
         const char *err_meth_name = meth_name;
-        char intro[200];
 
         if (meth_type == methtype_set_err) {
             SV **sem_svp = hv_fetchs((HV*)SvRV(h), "dbi_set_err_method", GV_ADDWARN);
             if (SvOK(*sem_svp))
                 err_meth_name = SvPV_nolen(*sem_svp);
         }
 
-        /* XXX change to vsprintf into sv directly */
-        sprintf(intro,"%s %s %s: ", HvNAME(DBIc_IMP_STASH(imp_xxh)), err_meth_name,
-            SvTRUE(err_sv) ? "failed" : is_warning ? "warning" : "information");
-        msg = sv_2mortal(newSVpv(intro,0));
+        msg = sv_2mortal(newSVpvf("%s %s %s: ", HvNAME(DBIc_IMP_STASH(imp_xxh)), err_meth_name,
+            SvTRUE(err_sv) ? "failed" : is_warning ? "warning" : "information"));
         if (SvOK(DBIc_ERRSTR(imp_xxh)))
             sv_catsv(msg, DBIc_ERRSTR(imp_xxh));
         else

dbixs_rev.h+2 −2 modified

@@ -1,4 +1,4 @@
-/* Fri Mar 14 15:13:25 2025 */
+/* Wed May 27 11:14:14 2026 */
 #define DBIXS_RELEASE  1
 #define DBIXS_VERSION  648
-#define DBIXS_REVISION 1705
+#define DBIXS_REVISION 1719

lib/DBI/Changes.pm+5 −1 modified

@@ -12,7 +12,7 @@ DBI::Changes - List of significant changes to the DBI
 
 =encoding UTF-8
 
-=head2 Changes in DBI 1.648 - 14 Mar 2025
+=head2 Changes in DBI 1.648 - 27 May 2025
 
 =over 2
 
@@ -28,6 +28,10 @@ Add DBIXS_VERSION & DBIXS_RELEASE to dbixs_rev.h
 
 Remove -Wbad-function-cast
 
+=item *
+
+Fix possible stack overflow (old issue already noted by Tim)
+
 =back
 
 =head2 Changes in DBI 1.647 - 20 Jan 2025

Makefile.PL+1 −0 modified

@@ -364,6 +364,7 @@ ptest:  all
 .PHONY:	doc change changes spellcheck checkpod newdist
 changes:	$(changes_pm1)
 doc:
+	perl dbixs_rev.pl
 	perl doc/make-doc.pl --pod
 spellcheck checkpod:	doc
 	pod-spell-check -i -a doc/*.pod

Vulnerability mechanics

Root cause

"Error messages were written to a fixed-size buffer without proper length checking."

Attack vector

An attacker can influence the error text returned by the application. When RaiseError, PrintError, or HandleError are enabled, this error text is written into a 200-byte buffer without a length check. If the error text exceeds this buffer size, a buffer overflow occurs, potentially leading to a crash or other unintended behavior [ref_id=1].

Affected code

The vulnerability exists in the `DBI.xs` file, specifically within the `XS_DBI_dispatch` function. The code previously used a fixed-size buffer `intro[200]` and `sprintf` to format error messages, which could lead to an overflow if the error string was too long [ref_id=1].

What the fix does

The patch replaces the use of `sprintf` with `sv_2mortal(newSVpvf(...))` which correctly handles variable-length strings and prevents buffer overflows [ref_id=1]. This change ensures that error messages are formatted safely, even if they are very long, by allocating sufficient memory for the resulting string.

Preconditions

configRaiseError, PrintError, or HandleError must be enabled.
inputThe attacker must be able to influence the content of error messages generated by the application.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000