Description
Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass.

_pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted and produce packed values of wrong length (3, 7, or 15 bytes instead of 17).

The packed values are used internally for mask and comparison operations. find() and bin_find() use Perl string comparison (lt/gt) on these values, and comparing strings of different lengths gives wrong results. This can cause find() to incorrectly report an address as inside or outside a range.

Example:

my $cidr = Net::CIDR::Lite->new("::/8");
$cidr->find("1:2:3"); # invalid input, incorrectly returns true

This is the same class of input validation issue as CVE-2021-47154 (IPv4 leading zeros) previously fixed in this module.

See also CVE-2026-40199, a related issue in the same function affecting IPv4 mapped IPv6 addresses.
Published: 2026-04-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: IP Access Control List Bypass
Action: Patch
AI Analysis

Impact

Net::CIDR::Lite fails to validate the number of groups in an uncompressed IPv6 address. When strings such as "1:2:3" are parsed, the library produces packed values that are shorter than the required 17 bytes. These malformed values are later used for mask and comparison logic. Because Perl string comparison on differing lengths yields incorrect results, the module may mistakenly report that an address is inside or outside a CIDR range, allowing unauthorized traffic to pass ACL checks.

Affected Systems

The vulnerability exists in the Net::CIDR::Lite Perl module provided by STIGTSP. All releases before version 0.23 are affected; version 0.23 and newer include the validation fix.

Risk and Exploitability

The CVSS score of 7.5 marks the issue as high severity, but the EPSS score below 1% indicates a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. Attackers would need to supply crafted IPv6 addresses to a Perl application that uses this module for ACL enforcement, so the attack vector is largely application‑level input injection.

Generated by OpenCVE AI on April 13, 2026 at 16:28 UTC.

Remediation

Vendor Solution

Upgrade to version 0.23 or newer, or apply the patch provided.

OpenCVE Recommended Actions

  • Upgrade Net::CIDR::Lite to version 0.23 or newer.
  • If upgrading is not immediately possible, apply the patch at https://github.com/stigtsp/Net-CIDR-Lite/commit/25d65f85dbe4885959a10471725ec9d250a589c3.patch.
  • Verify that your applications properly validate IPv6 addresses before passing them to the module.

Generated by OpenCVE AI on April 13, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Stigtsp net\
CPEs cpe:2.3:a:stigtsp:net\:\:cidr\:\:lite:*:*:*:*:*:perl:*:*
Vendors & Products Stigtsp net\

Mon, 13 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Stigtsp
Stigtsp net::cidr::lite
Vendors & Products Stigtsp
Stigtsp net::cidr::lite

Fri, 10 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. _pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted and produce packed values of wrong length (3, 7, or 15 bytes instead of 17). The packed values are used internally for mask and comparison operations. find() and bin_find() use Perl string comparison (lt/gt) on these values, and comparing strings of different lengths gives wrong results. This can cause find() to incorrectly report an address as inside or outside a range. Example: my $cidr = Net::CIDR::Lite->new("::/8"); $cidr->find("1:2:3"); # invalid input, incorrectly returns true This is the same class of input validation issue as CVE-2021-47154 (IPv4 leading zeros) previously fixed in this module. See also CVE-2026-40199, a related issue in the same function affecting IPv4 mapped IPv6 addresses.
Title Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass
Weaknesses CWE-1286
References

Subscriptions

Stigtsp Net::cidr::lite Net\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-13T14:41:59.967Z

Reserved: 2026-04-09T22:12:06.334Z

Link: CVE-2026-40198

cve-icon Vulnrichment

Updated: 2026-04-13T14:41:32.534Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T22:16:21.463

Modified: 2026-04-21T18:49:34.500

Link: CVE-2026-40198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:18Z

Weaknesses