Perl DBI <1.650 Heap Overflow via Excessive SQL Placeholders
CVE-2026-14739 Published on July 7, 2026
DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders
DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders.
The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders.
DBI version 1.650 sets a hard limit of 99,999 placeholders.
Vulnerability Analysis
CVE-2026-14739 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Timeline
Version 1.648 released with a fix for CVE-2026-10879.
Version 1.650 released. 33 days later.
Weakness Type
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2026-14739 has been classified to as a Memory Corruption vulnerability or weakness.
Affected Versions
HMBRAND DBI:- Before 1.650 is affected.