========================================================================
CVE-2026-14740                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-14740
  Distribution:  DBI
      Versions:  before 1.650

      MetaCPAN:  https://metacpan.org/dist/DBI
      VCS Repo:  https://github.com/perl5-dbi/dbi


DBI versions before 1.650 for Perl read one byte out-of-bounds in
preparse when deleting an initial SQL comment

Description
-----------
DBI versions before 1.650 for Perl read one byte out-of-bounds in
preparse when deleting an initial SQL comment.

The preparse method normalises SQL and removes comments. When the SQL
starts with a comment line, the deletion of that line during
normalisation led to an out-of-bounds read by one byte. The result is a
fault on memory-hardened builds and nondeterministic newline retention
on normal builds.

Problem types
-------------
- CWE-125 Out-of-bounds Read

Workarounds
-----------
Remove initial comments from SQL statements before passing them to DBI.


Solutions
---------
Upgrade to DBI version 1.650 or later.


References
----------
https://github.com/perl5-dbi/dbi/commit/fc16f9e8b3dd5c65caf1867781ab2bfe2fadcc01.patch
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-35f4-f8m9-w8xg
https://metacpan.org/release/HMBRAND/DBI-1.650/changes



Reply via email to