CVE-2026-15043
Publication date 14 July 2026
Last updated 16 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted <= and >= SQL operators on text. DBI::SQL::Nano, DBI's built-in mini-SQL engine, evaluated WHERE predicates incorrectly in some cases. In the non-numeric string branch of the is_matched method, <= was evaluated using Perl's ge operator, and >= was evaluated using Perl's le operator. SQL::Nano is the fallback query engine for DBI's file-backed drivers (DBD::File, DBD::DBM, CSV-style drivers) whenever SQL::Statement is not installed, and is forced whenever DBI_SQL_NANO=1. Queries over such tables use these predicates directly. The impact depends on the context. Where an application relies on a WHERE clause to filter file-backed data for policy or authorization, an inverted <=/>= comparison silently returns the wrong rows.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libdbi-perl | 26.04 LTS resolute |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Severity score breakdown
CVSS version: CVSS v3.0
Base score
9.8 · Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-15043
- https://lists.security.metacpan.org/cve-announce/msg/41805128/
- https://github.com/perl5-dbi/dbi/security/advisories/GHSA-mv45-ff6j-x9jp
- https://github.com/perl5-dbi/dbi/commit/e9742ef85a75867cbd696860e3bf3e32b681f98d.patch
- https://metacpan.org/release/HMBRAND/DBI-1.651/changes
- http://www.openwall.com/lists/oss-security/2026/07/14/9