CVE-2026-14740

CRITICAL

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment

Title source: cna
STIX 2.1

Description

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds.

Scores

CVSS v3 9.1
EPSS 0.0019
EPSS Percentile 8.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-125
Status published
Products (1)
HMBRAND/DBI < 1.650
Published Jul 07, 2026
Tracked Since Jul 08, 2026