Perl
CVE-2026-13221
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Impact is silently wrong matches corrupting access/filter decisions, so integrity-only (I:H, C:N/A:N); the required 65,535+ fixed-string alternation is an unusual precondition, hence AC:H.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk.
When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error.
A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.
AnalysisAI
Silently incorrect regular-expression matching in the Perl interpreter (all versions through 5.43.9) lets an oversized alternation of more than 65,535 fixed-string branches overflow a 16-bit delta field when the branches are optimized into a trie, truncating the match-decision table. The result is both false-positive and false-negative matches, so any Perl program that uses such a pattern to gate access or filter input can make wrong security decisions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a Perl program that compiles a single regular expression whose alternation contains more than 65,535 fixed-string branches (the exact overflow threshold of the 16-bit delta field in Perl_study_chunk), and that uses the resulting match to gate an access, authorization, or filtering decision. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (9.1, AV:N/AC:L/PR:N/UI:N/C:N/I:H/A:H) reads as a critical, trivially remote issue, but the signals conflict and should be treated with caution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application builds a large deny/allow regex by joining tens of thousands of fixed strings (for example a WAF-style blocklist or an input allowlist) and uses it to decide whether a request is permitted. Because the compiled trie is silently truncated past 65,535 branches, the pattern lets through inputs it should block (false negative) or rejects legitimate inputs (false positive), enabling an attacker to bypass the filter with a string that the corrupted table mis-classifies. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the official commit 03f74bbbd3a68350d926ee93d56ee4808c28c4c7 (https://github.com/Perl/perl5/commit/03f74bbbd3a68350d926ee93d56ee4808c28c4c7.patch), or upgrade to the first Perl 5.44 release that includes it once your distribution ships it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running Perl and document which versions and applications use regular expressions for access control or input filtering. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly hand
Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before
The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations. Rated
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive informa
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate e
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. Rated high severity (CVS
The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which mig
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mecha
The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-depe
Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 al
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today