Home

Description

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds.

PUBLISHED Reserved 2026-07-04 | Published 2026-07-07 | Updated 2026-07-08 | Assigner CPANSec

Problem types

CWE-125 Out-of-bounds Read

Product status

Default status
unaffected

Any version before 1.650
affected

References

www.openwall.com/lists/oss-security/2026/07/07/17

github.com/...fc16f9e8b3dd5c65caf1867781ab2bfe2fadcc01.patch patch

github.com/...bi/dbi/security/advisories/GHSA-35f4-f8m9-w8xg vendor-advisory

metacpan.org/release/HMBRAND/DBI-1.650/changes release-notes

cve.org (CVE-2026-14740)

nvd.nist.gov (CVE-2026-14740)

Download JSON