Home

Description

DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an application can trigger a buffer overflow.

PUBLISHED Reserved 2026-05-27 | Published 2026-06-09 | Updated 2026-06-09 | Assigner CPANSec

Problem types

CWE-787 Out-of-bounds Write

Product status

Default status
unaffected

Any version before 1.648
affected

Timeline

2026-04-25:Issue reported to CPANSec.
2026-05-27:Commit fixed the issue in DBI.
2026-06-04:DBI 1.648 released.

References

metacpan.org/release/HMBRAND/DBI-1.648/changes release-notes

github.com/...bfe5d73c162d2d1f761a639a0aa33aad6a9eb54e.patch patch

cve.org (CVE-2026-9698)

nvd.nist.gov (CVE-2026-9698)

Download JSON