A buffer overflow vulnerability in Perl’s DBI (Database Interface) module, tracked as CVE-2026-9698 (CVSS 9.8), allows attackers who can influence error text to trigger remote code execution. All versions of Perl DBI prior to 1.648 are affected. DBI is the standard database access layer for Perl, used by virtually every Perl application that connects to databases.
What Is the Vulnerability?
CVE-2026-9698 is an out-of-bounds write vulnerability (CWE-787) in DBI’s error message handling. When RaiseError, PrintError, or HandleError are enabled — which is the default and recommended configuration for most DBI applications — error messages are written to a fixed 200-byte buffer without any length validation. Error messages exceeding 200 bytes overflow the buffer, enabling memory corruption and potentially remote code execution.
Attackers who can influence error text in Perl applications — through crafted database queries, malformed input, or controlled error conditions — can trigger the buffer overflow. DBI is the foundational database access layer for the entire Perl ecosystem. Every Perl application using MySQL, PostgreSQL, SQLite, Oracle, or any other database through DBI is affected.
- CVSS v3.1 Score: 9.8 (Critical)
- CWE: CWE-787 (Out-of-Bounds Write)
- Affected: Perl DBI versions prior to 1.648
Which Versions Are Affected?
- Perl DBI: all versions before 1.648
What Is the Fix?
Update Perl DBI to version 1.648 or later: cpanm DBI@1.648 or cpan install DBI. For system Perl installations, update through your distribution’s package manager. For containerised Perl applications, rebuild images with the updated DBI version.
Recommendations
Update DBI across all Perl environments. DBI is a fundamental dependency — check every Perl application, script, and container that connects to a database. The fixed 200-byte buffer without bounds checking is a classic memory safety vulnerability in a library that processes attacker-influenced data (database query results and error messages).
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 10, 2026.
