A vulnerability was discovered that can lead to a use after free when using prepared statements. This vulnerability is present in all releases at least back to versions 3.0 of the driver, which were released in 2005.
The CVE identifier for this vulnerability is CVE-2016-1251.
Version 4.041, including the fix for this vulnerability, is available on CPAN at https://metacpan.org/pod/DBD::mysql
Users of DBD::mysql with prepared statements are advised to patch their installations as soon as possible.
Many thanks to Pali Rohár for discovering and fixing the vulnerability.
The DBD::mysql maintainers, Patrick Galbraith Michiel Beijen