CVE-2026-13221

Perl · Perl

Perl versions through 5.43.9 contain an integer overflow in the regex trie optimizer, causing silently incorrect regular expression matches when processing large alternations.

Executive summary

An integer overflow vulnerability in Perl versions 5.43.9 and earlier allows for silent regex matching failures that could lead to critical security bypasses.

Vulnerability

This is an integer overflow (CWE-190) occurring within the Perl_study_chunk function. An unauthenticated attacker can trigger this flaw by providing a crafted regular expression with more than 65535 branches, which overflows a 16-bit field and causes the engine to return incorrect match results without throwing an error.

Business impact

The potential for silent failure in regular expression matching presents a severe risk to application security. Because the flaw can cause incorrect filtering or logic evaluation, it may be leveraged to bypass authentication, input validation, or access control mechanisms. Given the CVSS score of 9.8, this critical vulnerability could lead to unauthorized data access or full system compromise depending on how the application utilizes the affected regex engine.

Remediation

Immediate Action: Update Perl to version 5.44.0 or apply the provided upstream patch (commit 03f74bbbd3a68350d926ee93d56ee4808c28c4c7) to remediate the integer overflow.

Proactive Monitoring: Audit application logs for unexpected regex processing errors or patterns of unusual input that may indicate an attempt to probe the regex engine with overly complex alternation structures.

Compensating Controls: If patching is delayed, employ input length limits or complexity restrictions on user-supplied regular expressions to prevent the triggering of large branch alternations.

Exploitation status

Public Exploit Available: No (no confirmed weaponized exploit or public PoC identified).

Analyst recommendation

Due to the critical nature of this vulnerability and the potential for silent security bypasses, immediate patching is required. Organizations should prioritize updating to Perl 5.44.0 to ensure the integrity of their regex-dependent security controls. Failure to address this could leave sensitive applications exposed to bypass techniques that leave no trace in standard error logs.