CVE-2026-45190 - Vulnerability Details

- Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass

Description

Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass.

Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result.

Example:

my $cidr = Net::CIDR::Lite->new();
$cidr->add("::1\n/128");
$cidr->find("::1a"); # incorrectly returns true

See also CVE-2026-45191.

Published: 2026-05-10

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The library fails to properly validate IP addresses and CIDR masks, permitting input strings such as a trailing newline or non‑ASCII characters to be accepted and then re‑encoded by the parser to a misleading network address. When the library’s find() or bin_find() functions are invoked, they may incorrectly report a match, allowing an attacker to bypass IP‑based access control lists. This flaw is an input‑validation weakness, identified as CWE‑1289.

Affected Systems

The flaw affects the Net::CIDR::Lite Perl module provided by STIGTSP, specifically all versions prior to 0.24.

Risk and Exploitability

Because the vulnerability permits control over the network address used in ACL checks, an attacker with the ability to supply arbitrary strings to the module could gain unauthorized access to protected resources. The precise exploitability depends on how the library is integrated into an application; if user input flows directly into the module, remote exploitation is possible, based on an inferred attack scenario. The CVSS score is 6.5, the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

STIGTSP

Net::CIDR::Lite

unaffected

Version	Status	Constraints
`0`	affected	< 0.24

No data.

Vendor Product Confidence Versions

Stigtsp

Net::cidr::lite

100%

Version	Status	Scheme	Platform
`[0,0.24)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to version 0.24 or newer, or apply the patch provided.

OpenCVE Recommended Actions

Upgrade the Net::CIDR::Lite module to version 0.24 or newer, which includes the input‑validation fix.
Apply the patch available at https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692.patch if upgrading is not immediately possible.
Add input sanitisation to reject IP strings with trailing newlines, non‑ASCII digits, or otherwise malformed addresses before passing them to the module as a short‑term safeguard.

Generated by OpenCVE AI on May 12, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692.patch
https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes
https://www.cve.org/CVERecord?id=CVE-2026-45191

History

Tue, 12 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 10 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Stigtsp Stigtsp net::cidr::lite
Vendors & Products		Stigtsp Stigtsp net::cidr::lite

Sun, 10 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true See also CVE-2026-45191.
Title		Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass
Weaknesses		CWE-1289
References		https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692.patch https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes https://www.cve.org/CVERecord?id=CVE-2026-45191

Subscriptions

Stigtsp Net::cidr::lite

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-10T20:15:24.721Z

Updated: 2026-05-12T14:31:01.908Z

Reserved: 2026-05-10T16:36:05.708Z

Link: CVE-2026-45190

Vulnrichment

Updated: 2026-05-12T14:30:37.454Z

NVD

Status : Deferred

Published: 2026-05-10T21:16:29.273

Modified: 2026-05-12T16:48:58.260

Link: CVE-2026-45190

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T16:30:19Z

Weaknesses

CWE-1289

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object