CVE-2026-13221

unknown
Published 2026-07-13 ยท Modified 2026-07-13
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
โ€”

Description

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error. A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker ยท View original โ†— ยท DFSG

CVE-2026-13221 NameCVE-2026-13221 DescriptionPerl versions through 5.43.9 produce silently incorrect regular expres ... SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Sourceโ€ฆ

CVE-2026-13221

NameCVE-2026-13221
DescriptionPerl versions through 5.43.9 produce silently incorrect regular expres ...
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
perl (PTS)bullseye5.32.1-4+deb11u3vulnerable
bullseye (security)5.32.1-4+deb11u5vulnerable
bookworm5.36.0-7+deb12u3vulnerable
bookworm (security)5.36.0-7+deb12u2vulnerable
trixie5.40.1-6vulnerable
forky, sid5.40.1-8vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
perlsource(unstable)(unfixed)

Notes

https://lists.security.metacpan.org/cve-announce/msg/41780104/
https://github.com/Perl/perl5/issues/23388
Introduced with: https://github.com/Perl/perl5/commit/acababb42be12ff2986b73c1bfa963b70bb5d54e (v5.37.10)
Fixed by: https://github.com/Perl/perl5/commit/03f74bbbd3a68350d926ee93d56ee4808c28c4c7 (v5.43.10)

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://lists.security.metacpan.org/cve-announce/msg/41780104/https://github.com/Perl/perl5/issues/23388Introduced with: https://github.com/Perl/perl5/commit/acababb42be12ff2986b73c1bfa963b70bb5d54e (v5.37.10)Fixed by: https://github.com/Perl/perl5/commit/03f74bbbd3a68350d926ee93d56ee4808c28c4c7 (v5.43.10)

OS impact

debian Debian Affected 5 releases
VersionStatusFixed in
trixie Affected โ€”
sid Affected โ€”
forky Affected โ€”
bullseye Affected โ€”
bookworm Affected โ€”

References

CWEs

CWE-190

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.