CVE-2026-13221 in Perlinfo

Summary

by MITRE • 07/13/2026

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk.

When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error.

A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

This vulnerability exists in perl versions through 5439 where regular expression matching becomes unreliable when handling alternations with more than 65535 fixed string branches compiled into a trie structure. The issue stems from a fundamental limitation in how perl manages memory and decision tables during regex compilation, specifically within the Perl_study_chunk function that processes pattern analysis. When perl encounters such complex patterns, it attempts to optimize performance by converting the alternation into a trie data structure where shared prefixes are efficiently stored.

The technical flaw manifests through a 16-bit field overflow in the trie's internal representation. Each branch in the trie stores a delta value representing the difference between the first branch and the shared tail portion of the pattern. This delta is stored in a fixed 16-bit field which can only accommodate values up to 65535. When the number of branches exceeds this limit, the overflow causes truncation of the match decision table without any error indication or warning to the user. This silent failure means that the regex engine continues operation with corrupted data structures.

The operational impact of this vulnerability is significant and potentially dangerous in security contexts where regex patterns control access decisions or data filtering mechanisms. The truncated decision table results in both false positive and false negative matching behaviors, meaning that strings which should not match will match incorrectly, while strings that should match will fail to match. This creates a scenario where security controls based on such regex patterns can be bypassed or malfunction, leading to unauthorized access or data leakage. The vulnerability affects any application using perl's regex engine for pattern matching, particularly those implementing access control, input validation, or content filtering systems.

This issue maps to CWE-129 in the Common Weakness Enumeration which covers improper validation of array indices and CWE-704 in the case of incorrect representation of data. From an ATT&CK perspective, this vulnerability could be leveraged during initial access phases where regex patterns control user authentication or input sanitization, potentially allowing adversaries to bypass security controls through crafted inputs that exploit the false matching behavior.

Mitigation strategies should focus on avoiding complex regex patterns with excessive alternations, particularly those exceeding 65535 branches. System administrators should upgrade to perl version 5440 or later where this issue has been resolved through proper overflow handling and error reporting. Applications using vulnerable perl versions should implement input validation that prevents execution of suspicious regex patterns, and security teams should monitor for unusual matching behavior in systems that rely on complex pattern matching. Additionally, developers should consider alternative approaches such as using hash tables or other data structures for implementing large-scale string matching instead of relying on the problematic regex alternation constructs.

Responsible

CPANSec

Reservation

06/24/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!