Perl Ecosystem: Five Vulnerabilities Disclosed Together Affecting Core and Modules
Five vulnerabilities affecting Perl and its modules were disclosed on July 14, 2026, spanning heap overflows, DoS, and incorrect regex processing.

Key findings
- Five Perl-related vulnerabilities disclosed on July 14, 2026, impacting core interpreter and modules.
- CVE-2026-58102 and CVE-2026-58101 detail heap read and DoS flaws in Crypt::OpenSSL::X509 before v2.1.3.
- CVE-2026-13221 causes incorrect regex matches in Perl through 5.43.9 due to trie compilation limits.
- CVE-2026-57433 involves integer overflow in Storable deserialization before v3.41.
- CVE-2026-57432 leads to out-of-bounds heap read in Perl's pack/unpack via S_measure_struct overflow.
On July 14, 2026, a batch of five vulnerabilities was disclosed affecting the Perl programming language and its associated libraries. These vulnerabilities, all published on the same day, span several components including Crypt::OpenSSL::X509, the core Perl interpreter, and the Storable module. The disclosures highlight potential risks ranging from denial of service and heap out-of-bounds reads to silently incorrect regular expression matches and integer overflows.
Two vulnerabilities, CVE-2026-58102 and CVE-2026-58101, impact the Crypt::OpenSSL::X509 module in versions prior to 2.1.3. CVE-2026-58102 describes a heap out-of-bounds read vulnerability that can occur when processing long certificate extension OIDs. This occurs because the code passes the return value of OBJ_obj2txt() directly as a hash key without proper validation. Similarly, CVE-2026-58101 details a denial of service vulnerability stemming from a NULL pointer dereference. This happens when an extension's DER value fails to parse, leading to a NULL return from X509V3_EXT_d2i(ext), which is then dereferenced without a NULL check in various functions.
A separate issue, CVE-2026-13221, affects Perl versions up to 5.43.9. This vulnerability arises when an alternation of more than 65,535 fixed string branches is compiled into a trie within Perl_study_chunk. The delta between the first branch and the shared tail is stored in a 16-bit field, leading to silently incorrect regular expression matches due to this limitation.
The Storable module is affected by CVE-2026-57433 in versions prior to 3.41. This vulnerability involves a signed integer overflow during the deserialization of a crafted SX_HOOK record. The retrieve_hook_common function reads a signed 32-bit item count and calls av_extend with the count plus one. A count of I32_MAX causes the addition to wrap around to a negative value, leading to the overflow.
Finally, CVE-2026-57432 points to an integer overflow within the S_measure_struct function in Perl versions up to 5.43.10. This overflow can result in an out-of-bounds heap read during pack and unpack operations. The S_measure_struct function adds each item's size multiplied by its repeat count to a running total without an overflow check, allowing a large repeat count in a pack or unpack template to wrap the signed SSize_t total.
These vulnerabilities underscore the importance of timely updates for Perl installations and related modules. Users are advised to update to patched versions as soon as possible to mitigate the risks associated with heap overflows, denial of service, and data corruption. The Perl Foundation and Debian have been involved in the disclosure and patching of these issues.
The specific versions and patches mentioned are: Crypt::OpenSSL::X509 versions before 2.1.3 are affected, and Storable versions before 3.41 are vulnerable. Perl versions through 5.43.9 and 5.43.10 are also impacted by specific issues. Users should consult the respective advisories for detailed mitigation steps and version information. The coordinated disclosure of these five CVEs on a single day highlights a focused security event for the Perl ecosystem.