PatchSiren cyber security CVE debrief

CVE-2016-1249 Dbd MYSQL Project CVE debrief

CVE-2016-1249 is a denial-of-service flaw in Perl's DBD::mysql module when server-side prepared statement support is used. The supplied NVD record describes an out-of-bounds read that can be triggered by certain SQL shapes involving an unaligned number of placeholders in a WHERE condition and output fields in a SELECT expression. The affected range in NVD extends through 4.038_01, with 4.039 referenced as the fixed release path.

Vendor: Dbd MYSQL Project
Product: CVE-2016-1249
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-17
Original CVE updated: 2026-05-13
Advisory published: 2017-02-17
Advisory updated: 2026-05-13

Who should care

Teams running Perl applications that use DBD::mysql, especially where server-side prepared statements are enabled, should review this CVE. It also matters to package maintainers and distro security teams responsible for dependency updates and downstream advisories.

Technical summary

NVD maps this issue to CWE-125 (out-of-bounds read) and rates it as CVSS 3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. In practical terms, the bug is an availability issue: under the right query pattern and module version, the database client library can read past bounds and destabilize the process. The supplied references point to the 4.039 changes file, an oss-security post with mitigation/patch context, and a GitHub commit that corresponds to the fix.

Defensive priority

Patch promptly if DBD::mysql is deployed in production. This is not an RCE-class issue, but crashes or service instability in database-facing Perl applications can still have meaningful operational impact.

Recommended defensive actions

Inventory Perl applications and hosts using DBD::mysql, then confirm whether any instance is at or below 4.038_01.
Upgrade to DBD::mysql 4.039 or a vendor-packaged release that includes the fix.
Review whether server-side prepared statements are enabled in affected applications and follow the supplied vendor/oss-security guidance if immediate upgrading is not possible.
Monitor for database-client crashes or restarts in Perl services that depend on DBD::mysql, and prioritize remediation where the module is exposed in production.
Use downstream advisories such as the Gentoo GLSA and your platform's package metadata to confirm fixed package versions.

Evidence notes

The NVD record states the vulnerability description, affected version criteria through 4.038_01, and the CWE-125 mapping. The supplied references include the DBD::mysql 4.039 Changes file, an oss-security mailing list thread with mitigation and patch context, a GitHub patch commit, and a Gentoo GLSA, all consistent with a versioned fix rather than a broad architectural change. The CVE was originally published on 2017-02-17; the later 2026-05-13 timestamp is an NVD record modification date and should not be treated as the issue date.

Official resources

CVE-2016-1249 CVE record
CVE.org
CVE-2016-1249 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Mitigation, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
Source reference
[email protected]

Publicly disclosed in the supplied NVD record on 2017-02-17. The record was later modified on 2026-05-13; that later date reflects metadata updates, not the original vulnerability date.