Description
Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass.

_pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address.

The wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses.

Example:

my $cidr = Net::CIDR::Lite->new("::ffff:192.168.1.0/120");
$cidr->find("::ffff:192.168.2.0"); # incorrectly returns true

This is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x).

See also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses.
Published: 2026-04-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: IP ACL bypass
Action: Apply Patch
AI Analysis

Impact

Net::CIDR::Lite versions prior to 0.23 mishandle IPv4-mapped IPv6 addresses by appending a sentinel byte, producing an 18-byte representation instead of the expected 17 bytes. This misalignment leads to incorrect mask calculations and the find functions may return false positives or negatives when evaluating IP membership. The effect is that an application using this library for IP access control could incorrectly allow or deny traffic, effectively bypassing the ACL mechanism.

Affected Systems

The flaw affects all releases of the STIGTSP Net::CIDR::Lite Perl module before version 0.23. Any system or application that imports this module to interpret IPv4-mapped IPv6 addresses or perform CIDR calculations could be impacted.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity, while the EPSS score is reported as less than 1% and the vulnerability is not listed in the CISA KEV catalog. The CVE description does not mention existing exploits; the vulnerability can be exploited by supplying a crafted IPv4-mapped IPv6 address to an application that relies on Net::CIDR::Lite for ACL decisions, but availability of a public exploit is not documented.

Generated by OpenCVE AI on April 13, 2026 at 17:20 UTC.

Remediation

Vendor Solution

Upgrade to version 0.23 or newer, or apply the patch provided.

OpenCVE Recommended Actions

  • Upgrade Net::CIDR::Lite to version 0.23 or later
  • If upgrading is not possible, apply the patch provided in the referenced commit

Generated by OpenCVE AI on April 13, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Stigtsp net\
CPEs cpe:2.3:a:stigtsp:net\:\:cidr\:\:lite:*:*:*:*:*:perl:*:*
Vendors & Products Stigtsp net\

Mon, 13 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Stigtsp
Stigtsp net::cidr::lite
Vendors & Products Stigtsp
Stigtsp net::cidr::lite

Fri, 10 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. _pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address. The wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses. Example: my $cidr = Net::CIDR::Lite->new("::ffff:192.168.1.0/120"); $cidr->find("::ffff:192.168.2.0"); # incorrectly returns true This is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x). See also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses.
Title Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass
Weaknesses CWE-130
References

Subscriptions

Stigtsp Net::cidr::lite Net\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-13T14:37:18.227Z

Reserved: 2026-04-09T22:12:06.334Z

Link: CVE-2026-40199

cve-icon Vulnrichment

Updated: 2026-04-13T14:34:14.694Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T22:16:21.597

Modified: 2026-04-21T18:41:01.297

Link: CVE-2026-40199

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:17Z

Weaknesses