PatchSiren cyber security CVE debrief
CVE-2026-13221 SHAY CVE debrief
Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error. A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.
- Vendor
- SHAY
- Product
- perl
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of Perl versions through 5.43.9 should be aware of this issue and take steps to mitigate it, especially if they use regular expressions for access or filtering decisions. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their systems and implement necessary protections.
Technical summary
The Perl programming language, in versions through 5.43.9, has a vulnerability in its regular expression engine. When compiling an alternation of more than 65535 fixed string branches into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. If the branch count exceeds 65535, this field overflows, causing the trie's match decision table to be truncated without any warning or error. As a result, patterns of this form can produce incorrect matches, both false positives (matching strings they should not) and false negatives (failing to match strings they should). This issue can lead to incorrect results when such patterns are used for access control or filtering decisions.
Defensive priority
High
Recommended defensive actions
- Update to a version of Perl that fixes this issue, if available.
- Review and test regular expressions used for access or filtering decisions.
- Consider using alternative pattern matching approaches if possible.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-13T17:16:48.923Z and has not been modified since then. The NVD entry is currently Undergoing Analysis. Evidence is limited, and defenders should verify the affected scope, severity, and vendor guidance. The issue affects Perl versions through 5.43.9 and involves silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie.
Official resources
-
CVE-2026-13221 CVE record
CVE.org
-
CVE-2026-13221 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T17:16:48.923Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.