PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13221 SHAY CVE debrief

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error. A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.

Vendor
SHAY
Product
perl
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of Perl versions through 5.43.9 should be aware of this issue and take steps to mitigate it, especially if they use regular expressions for access or filtering decisions. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their systems and implement necessary protections.

Technical summary

The Perl programming language, in versions through 5.43.9, has a vulnerability in its regular expression engine. When compiling an alternation of more than 65535 fixed string branches into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. If the branch count exceeds 65535, this field overflows, causing the trie's match decision table to be truncated without any warning or error. As a result, patterns of this form can produce incorrect matches, both false positives (matching strings they should not) and false negatives (failing to match strings they should). This issue can lead to incorrect results when such patterns are used for access control or filtering decisions.

Defensive priority

High

Recommended defensive actions

  • Update to a version of Perl that fixes this issue, if available.
  • Review and test regular expressions used for access or filtering decisions.
  • Consider using alternative pattern matching approaches if possible.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-13T17:16:48.923Z and has not been modified since then. The NVD entry is currently Undergoing Analysis. Evidence is limited, and defenders should verify the affected scope, severity, and vendor guidance. The issue affects Perl versions through 5.43.9 and involves silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T17:16:48.923Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.