CVE-2026-9698: DBI versions before 1.648 for Perl saved errors in a limited-sized buffer
DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an application can trigger a buffer overflow.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 1.648
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A stack-based buffer overflow exists in the Perl DBI module (versions before 1.648). The vulnerability is reachable over the network without any authentication, and is triggered when an attacker can influence the error text that DBI writes into a fixed 200-byte buffer with no length check. Successful exploitation crashes the affected service, causing a denial of service. A patched-image rebuild at version 1.648 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including CPANSec advisories) within minutes of publication and matched against customer images, including custom-built images that bundle the Perl DBI module. Any image with a DBI version below 1.648 is flagged automatically.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within the customer organization based on configured ownership rules.
AvailableA patched-image rebuild at DBI 1.648 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.
- AuthenticationNot required
No credentials or account of any kind are needed; the CVSS vector specifies PR:N, so the attack is open to unauthenticated parties.
- Victim interactionNot required
No user action is needed to trigger the overflow; the CVSS vector specifies UI:N, so exploitation proceeds without any victim involvement.
- Attack complexityDetail
Exploitation is reliable and condition-free; the CVSS vector specifies AC:L, meaning an attacker only needs to supply an oversized error string without depending on race conditions or specific memory layout.
Blast Radius
- Crashes the DBI-dependent Perl application process, taking the affected service offline.
- Repeated triggering of the overflow can sustain a denial-of-service condition for as long as the attacker can supply crafted error input.
- No confidentiality or integrity impact is indicated by the CVSS vector; stored data is not read or modified by this exploit.
How HarborGuard Handles This
Available on HarborGuard: images containing DBI below 1.648 are matched against this CVE within minutes of the advisory being ingested, covering both base images and custom-built images that vendor the Perl DBI module. For customers who opt into auto-remediation, HarborGuard rebuilds the image at DBI 1.648, runs a regression test, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review, the finding is surfaced in the triage queue with full CVSS context and fix-version detail so engineers can act immediately.
- HMBRAND / DBI< 1.648 (from 0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H