CVE-2026-14740

critical

Description

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds.

References

https://metacpan.org/release/HMBRAND/DBI-1.650/changes

https://github.com/perl5-dbi/dbi/security/advisories/GHSA-35f4-f8m9-w8xg

https://github.com/perl5-dbi/dbi/commit/fc16f9e8b3dd5c65caf1867781ab2bfe2fadcc01.patch

http://www.openwall.com/lists/oss-security/2026/07/07/17

Details

Source: Mitre, NVD

Published: 2026-07-07

Updated: 2026-07-08

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 9.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Severity: Critical

EPSS

EPSS: 0.00187