DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders
CVE-2026-10879

Currently unrated

Key Information:

Vendor: Hmbrand
Status: Dbi
Vendor: CVE Published:; 5 June 2026

What is CVE-2026-10879?

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders.

The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.

Affected Version(s)

DBI 0 < 1.648

References

https://metacpan.org/release/HMBRAND/DBI-1.648/changes

release-notes

https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457...

patch

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
Jun 4, 2026

CVE-2026-10879 Data

JSON

Hmbrand

What is CVE-2026-10879?

Affected Version(s)

References

Timeline