CVE-2026-10879: DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 1.648
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A heap buffer overflow exists in the Perl DBI module (versions before 1.648) triggered during SQL statement preparsing. The vulnerability is reachable over the network without any authentication or user interaction, as derived from the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives an attacker full read, write, and crash capabilities on the affected process, enabling data theft, data tampering, and remote code execution. A patched-image rebuild at DBI 1.648 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-10879 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including CPANSec and NVD) within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle the Perl DBI module.
AvailableHarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and weights it against each environment's compliance policy to determine urgency and routing, ensuring the finding reaches the right team inbox without requiring manual triage.
AvailableA patched-image rebuild at DBI 1.648 is available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker can trigger the overflow by sending a crafted SQL statement remotely.
- AuthenticationNot required
No credentials or session token are needed; the overflow is reachable by any unauthenticated caller.
- Victim interactionNot required
No victim action is required; the attacker triggers the overflow entirely through their own requests.
- Attack complexityDetail
Exploit complexity is low: the overflow is deterministic and condition-free, requiring only a SQL statement with 10 or more placeholder binders to exceed the allocated buffer.
Blast Radius
- Reads arbitrary heap memory from the DBI process, exposing in-flight query data, credentials, and application secrets.
- Overwrites heap structures to corrupt application state or pivot to controlled data, enabling modification of database rows or session records.
- Crashes the DBI process or the Perl interpreter hosting it, taking the database-connected application offline.
- Under favorable heap layout, achieves remote code execution within the process, giving the attacker full control of the application runtime.
How HarborGuard Handles This
Available on HarborGuard: any image containing DBI before 1.648 is flagged immediately upon scan, with a severity of CRITICAL and a CVSS score of 9.8. A rebuilt image at the fixed version (DBI 1.648) is available as soon as the CVE is matched. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated inbox with full context including the affected image layers and the fix version, so reviewers can act without additional research.
- HMBRAND / DBI< 1.648 (from 0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H