A race condition exists during thread creation when a directory handle is open. The process-wide current working directory is temporarily altered to clone that handle for the new thread, an effect that is visible to any other threads already running. This flaw can cause file operations—such as loading code or reading data—to target unintended paths. The weakness is identified by CWE-362 (Race Condition), CWE-426 (Insecure Direct Object Reference), and CWE-689 (Improper Handling of Working Directory). The result is a localized attack surface that may allow a local adversary to execute arbitrary code or read/write files that should not be accessible.

The vulnerability affects the Perl interpreter provided by the https://perl.org organization, specifically the 5.13.6 release. Versions that incorporate the referenced patch or any later revision that eliminates the race condition are considered unaffected. No other vendors or product lines are listed as impacted.

The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1% reflects a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve a local attacker who can spawn threads within the same process; they would need to coordinate timing to exploit the directory change. Because the flaw requires a concurrent thread and the resulting privilege is limited to the running process, the risk is medium but still significant for components handling sensitive file paths.