Perl Regex Engine Vulnerability Allows Silently Incorrect Matches
A vulnerability exists in Perl versions up to and including 5.43.9 where regular expression matches can be silently incorrect when an alternation of more than 65535 fixed string branches is compiled into a trie within the Perl_study_chunk function, potentially leading to incorrect logic or data processing.
Perl versions through 5.43.9 are susceptible to a vulnerability, identified as CVE-2026-13221, where the regular expression engine can produce silently incorrect matches. This flaw arises when a regex contains an alternation of more than 65535 fixed string branches that are compiled into a trie by the Perl_study_chunk function. Instead of correctly identifying a match or non-match, the engine may return an incorrect result without any error or warning, potentially leading to applications making decisions based on faulty regex evaluations. This vulnerability impacts applications relying on complex regular expressions in Perl scripts for tasks like input validation, data parsing, or security filtering.
Impact
If this vulnerability is triggered, it could lead to significant integrity issues within applications that use Perl for critical data processing, filtering, or validation, particularly those employing highly complex regular expressions. Applications might misinterpret data, allow invalid inputs to bypass validation checks, or incorrectly filter legitimate inputs. This could potentially result in data corruption, security bypasses, or even denial of service if the logic failure causes crashes or incorrect resource allocation. The silent nature of the incorrect matches makes detection difficult, as applications would behave unexpectedly without explicit error messages, making it challenging to identify the root cause of issues.
Recommendation
- Upgrade Perl to a version patched against CVE-2026-13221 as soon as possible.
- Review Perl applications that use regular expressions with large alternations (specifically those potentially containing over 65535 fixed string branches compiled into a trie) to assess potential impact and identify areas where silent mismatches could occur.
- Consider implementing additional input validation or data integrity checks for critical Perl applications, especially those processing untrusted input where regular expressions are used.