Description
Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.

The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.

If the argument was not a well-formed IP address, then this would lead to indefinite recursion.

An attacker could use this to cause a denial of service.
Published: 2026-06-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::CIDR::Set versions up to 0.20 failed to validate IP addresses supplied to the add method. When the input did not resemble a netmask or network range, the library treated it as a single IP and recursively passed it back to itself via the _encode routine. This unbounded recursion can exhaust system resources and crash the process, resulting in a denial of service. The flaw does not provide a path to arbitrary code execution or data disclosure; it merely impacts availability.

Affected Systems

The affected product is Net::CIDR::Set from the vendor RRWO. All releases through version 0.20 are impacted, including 0.20 and all earlier iterations that lack the validation safeguard.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk, and EPSS data are not available, so the threat assessment relies on the description. The vulnerability can be triggered by supplying a malformed IP to the add routine, a scenario that could arise from untrusted input in Perl applications that import this module. Though the attack surface requires the attacker to influence the invocation of add, it can lead to a noticeable denial of service. The issue is not listed in CISA's KEV catalog, indicating it has not been observed as a widely exploited vulnerability in the wild.

Generated by OpenCVE AI on June 4, 2026 at 19:22 UTC.

Remediation

Vendor Solution

Upgrade to version 0.21 of later.

OpenCVE Recommended Actions

  • Upgrade Net::CIDR::Set to version 0.21 or later to apply the input‑validation patch.
  • Prior to using add, validate any IP input with a reliable IP validation routine or regex; reject malformed addresses to prevent unintended recursion.
  • Audit all Perl scripts that use Net::CIDR::Set and replace direct calls to add with a wrapper that enforces validation, or substitute the module with a more secure alternative until the official patch can be applied.

Generated by OpenCVE AI on June 4, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.
Title Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses
Weaknesses CWE-1287
CWE-674
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-04T18:45:40.658Z

Reserved: 2026-06-02T16:06:23.069Z

Link: CVE-2026-49941

cve-icon Vulnrichment

Updated: 2026-06-04T18:45:40.658Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T17:16:33.173

Modified: 2026-06-04T20:16:58.373

Link: CVE-2026-49941

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:30:21Z

Weaknesses