CVE-2026-60082

critical

Description

DBI versions before 1.651 for Perl do not enforce statement handle consistency with the row. When the statement handle had no fields but the source row was non-empty, the internal row-buffer helper would read from a negative array index. This could be triggered by a caller supplying inconsistent metadata and rows to the prepare method.

References

https://metacpan.org/release/HMBRAND/DBI-1.651/changes

https://github.com/perl5-dbi/dbi/security/advisories/GHSA-rwhc-hhmv-cjvg

https://github.com/perl5-dbi/dbi/commit/397868704291bbf0989b97e2c0661189890653e2.patch

Details

Source: Mitre, NVD

Published: 2026-07-14

Updated: 2026-07-14

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Severity: Critical