CVE-2026-14740 PUBLISHED

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment

Assigner: CPANSec
Reserved: 04.07.2026 Published: 07.07.2026 Updated: 08.07.2026

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment.

The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds.

Product Status

Vendor HMBRAND
Product DBI
Versions Default: unaffected
  • affected from 0 to 1.650 (excl.)

Workarounds

Remove initial comments from SQL statements before passing them to DBI.

Solutions

Upgrade to DBI version 1.650 or later.

References

Problem Types

  • CWE-125 Out-of-bounds Read CWE