Description
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks.

Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
Published: 2026-06-04
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::CIDR::Set versions through 0.20 for Perl accept non‑ASCII digits in IP addresses and netmasks, but treat them as malformed numbers. Because the module does not interpret the digits correctly, a subnet mask may be interpreted as a larger network than intended. This discrepancy can enable an attacker to create an entry that expands a restricted network to cover more addresses, potentially giving them access to resources or information that should be excluded.

Affected Systems

The vulnerability affects RRWO’s Net::CIDR::Set module for Perl up to and including version 0.20. Any installation of this module within scripts, applications, or systems that rely on accurate CIDR calculations could be impacted. The vendor provides an official fix in version 0.21.

Risk and Exploitability

The exploitability of this flaw depends on the attacker’s ability to supply IP and mask values to a vulnerable instance of the module. If such input can be controlled, the flaw could be abused to widen access rights or bypass network‑level restrictions. No EPSS score is currently available, and the issue is not listed in the CISA KEV catalog, indicating that active exploitation is not known. The CVSS score of 6.5 indicates moderate severity.

Generated by OpenCVE AI on June 4, 2026 at 19:22 UTC.

Remediation

Vendor Solution

Upgrade to version 0.21.

OpenCVE Recommended Actions

  • Upgrade RRWO Net::CIDR::Set to version 0.21 or later to resolve the parsing issue.
  • For systems that cannot upgrade immediately, implement input validation to reject non‑ASCII characters in IP addresses and netmask strings before passing them to the module.
  • As a temporary mitigation, restrict the use of the module to trusted, internally controlled scripts or enforce network segmentation to prevent unintended access expansions.

Generated by OpenCVE AI on June 4, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
Title Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks
Weaknesses CWE-1289
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-04T17:36:19.084Z

Reserved: 2026-06-02T16:06:23.068Z

Link: CVE-2026-49940

cve-icon Vulnrichment

Updated: 2026-06-04T17:32:25.725Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T17:16:33.053

Modified: 2026-06-04T19:15:17.327

Link: CVE-2026-49940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:30:21Z

Weaknesses