CVE-2026-60081 in DBI::ProfileDatainfo

Summary

by MITRE • 07/14/2026

DBI::ProfileData versions before 1.651 for Perl do not limit the path index.

The path index column of profile dump files is used to allocate an array of data for the parser. An unbounded value allows an attacker to specify a large index and consume available memory.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability in DBI::ProfileData versions prior to 1.651 represents a critical memory exhaustion issue that can lead to denial of service conditions within perl applications utilizing database connectivity profiling features. This flaw exists within the parsing mechanism of profile dump files, where the path index column serves as a direct input parameter for array allocation operations. The absence of proper bounds checking on this index value creates an exploitable condition that allows malicious actors to manipulate the parser into allocating excessive memory resources.

The technical implementation of this vulnerability stems from insufficient input validation within the profile data parser component of the DBI::ProfileData module. When processing profile dump files, the system utilizes the path index value to determine the size and allocation of internal data structures. Without proper bounds enforcement, an attacker can craft malicious profile data containing arbitrarily large path index values that result in massive memory allocations. This behavior directly violates security principles outlined in CWE-129 Input Validation and CWE-770 Allocation of Resources Without Limits or Throttling, where resource consumption is not properly constrained. The vulnerability manifests as a remote memory exhaustion attack vector that can be exploited through crafted profile data files.

The operational impact of this vulnerability extends beyond simple denial of service scenarios, potentially affecting the stability and availability of database-connected applications across various deployment environments. When exploited successfully, the vulnerability allows attackers to consume all available system memory on the target host, leading to application crashes, system instability, or complete resource exhaustion that can affect other services running on the same system. This type of attack falls under the ATT&CK technique T1499.004 Resource Hijacking, where adversaries consume system resources to impair system functionality and availability. The vulnerability affects any perl application that utilizes DBI::ProfileData for database profiling operations, including web applications, batch processing systems, and database management tools.

Mitigation strategies for this vulnerability should focus on immediate remediation through version updates to DBI::ProfileData 1.651 or later, which includes proper bounds checking for path index values. System administrators should also implement monitoring of profile data file inputs and establish resource limits on memory allocation within applications that process such data. Additional defensive measures include implementing file integrity checks on profile dump files, restricting write permissions to profile data directories, and deploying intrusion detection systems that can identify anomalous memory allocation patterns. Organizations should also consider implementing automated patch management processes to ensure timely updates of perl modules and dependencies, as this vulnerability demonstrates the importance of maintaining current security patches for application libraries. The fix implemented in version 1.651 addresses the core issue by introducing proper validation of path index values before any memory allocation occurs, preventing attackers from specifying excessively large indices that would otherwise trigger resource exhaustion conditions.

Responsible

CPANSec

Reservation

07/08/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!