Skip to main content

Perl CVE-2026-13221

CRITICAL
Integer Overflow or Wraparound (CWE-190)
2026-07-13 CPANSec
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
5.9 MEDIUM

Impact is silently wrong matches corrupting access/filter decisions, so integrity-only (I:H, C:N/A:N); the required 65,535+ fixed-string alternation is an unusual precondition, hence AC:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
Jul 14, 2026 - 14:23 vuln.today
Analysis Generated
Jul 14, 2026 - 14:23 vuln.today
CVSS changed
Jul 14, 2026 - 14:22 NVD
9.1 (CRITICAL)
CVE Published
Jul 13, 2026 - 15:40 cve.org
CRITICAL 9.1
CVE Published
Jul 13, 2026 - 15:40 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk.

When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error.

A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.

AnalysisAI

Silently incorrect regular-expression matching in the Perl interpreter (all versions through 5.43.9) lets an oversized alternation of more than 65,535 fixed-string branches overflow a 16-bit delta field when the branches are optimized into a trie, truncating the match-decision table. The result is both false-positive and false-negative matches, so any Perl program that uses such a pattern to gate access or filter input can make wrong security decisions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Application builds regex with >65535 fixed-string branches
Delivery
Trie batching overflows 16-bit delta field
Exploit
Match-decision table silently truncated
Execution
Filter/access check returns wrong verdict
Impact
Attacker input bypasses security control

Vulnerability AssessmentAI

Exploitation Exploitation requires a Perl program that compiles a single regular expression whose alternation contains more than 65,535 fixed-string branches (the exact overflow threshold of the 16-bit delta field in Perl_study_chunk), and that uses the resulting match to gate an access, authorization, or filtering decision. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (9.1, AV:N/AC:L/PR:N/UI:N/C:N/I:H/A:H) reads as a critical, trivially remote issue, but the signals conflict and should be treated with caution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application builds a large deny/allow regex by joining tens of thousands of fixed strings (for example a WAF-style blocklist or an input allowlist) and uses it to decide whether a request is permitted. Because the compiled trie is silently truncated past 65,535 branches, the pattern lets through inputs it should block (false negative) or rejects legitimate inputs (false positive), enabling an attacker to bypass the filter with a string that the corrupted table mis-classifies. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the official commit 03f74bbbd3a68350d926ee93d56ee4808c28c4c7 (https://github.com/Perl/perl5/commit/03f74bbbd3a68350d926ee93d56ee4808c28c4c7.patch), or upgrade to the first Perl 5.44 release that includes it once your distribution ships it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running Perl and document which versions and applications use regular expressions for access control or input filtering. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Perl

View all
CVE-2012-6329 HIGH POC
7.5 Jan 04

The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly hand

CVE-2017-12814 CRITICAL POC
9.8 Sep 28

Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before

CVE-2015-8608 CRITICAL POC
9.8 Feb 07

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of

CVE-2018-18314 CRITICAL POC
9.8 Dec 07

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations. Rated

CVE-2018-18312 CRITICAL POC
9.8 Dec 05

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid

CVE-2018-18313 CRITICAL POC
9.1 Dec 07

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive informa

CVE-2016-2381 HIGH
7.5 Apr 08

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate e

CVE-2023-31484 HIGH POC
8.1 Apr 29

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. Rated high severity (CVS

CVE-2016-6185 HIGH POC
7.8 Aug 02

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which mig

CVE-2018-12015 HIGH POC
7.5 Jun 07

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mecha

CVE-2015-8853 HIGH
7.5 May 25

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-depe

CVE-2017-12883 CRITICAL
9.1 Sep 19

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 al

Share

CVE-2026-13221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy