Regular Expression Denial of Service in String::Util for Perl by Scott Chief Baker
CVE-2026-14895

Currently unrated

Key Information:

Vendor

Bakerscot

Vendor
CVE Published:
7 July 2026

What is CVE-2026-14895?

The String::Util module for Perl, specifically versions prior to 1.36, contains a vulnerability that can lead to a regular expression denial of service. The issue arises from the trim and rtrim functions, which utilize a regex pattern that matches trailing whitespace. Due to greedy matching behavior, the regex engine can enter a state of quadratic backtracking when processing long runs of whitespace, resulting in excessive CPU resource consumption. Attackers can exploit this by submitting untrusted input, potentially leading to service disruption. The responsible party has patched this vulnerability by modifying the regex to prevent this backtracking behavior.

Affected Version(s)

String::Util 0 < 1.36

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.