Regex Vulnerability in Perl Affects Users with Large Alternation Patterns
CVE-2026-13221

Currently unrated

Key Information:

Vendor

Shay

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-13221?

Perl versions up to 5.43.9 exhibit a vulnerability in how they compile a large number of fixed string branches into a trie. When the number of branches exceeds 65535, it causes a 16-bit field overflow, resulting in an incorrect matching decision table. This may lead to false positives and false negatives in regex pattern matching, thereby potentially compromising access controls or data filtering processes without any warnings or errors. Users relying on large alternation patterns should take note of this significant flaw in regex implementation to prevent unintended behaviors.

Affected Version(s)

perl 0 <= 5.43.9

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.