Regex Vulnerability in Perl Affects Users with Large Alternation Patterns
CVE-2026-13221
Currently unrated
What is CVE-2026-13221?
Perl versions up to 5.43.9 exhibit a vulnerability in how they compile a large number of fixed string branches into a trie. When the number of branches exceeds 65535, it causes a 16-bit field overflow, resulting in an incorrect matching decision table. This may lead to false positives and false negatives in regex pattern matching, thereby potentially compromising access controls or data filtering processes without any warnings or errors. Users relying on large alternation patterns should take note of this significant flaw in regex implementation to prevent unintended behaviors.
Affected Version(s)
perl 0 <= 5.43.9
