Description
Net::CIDR::Set versions through 0.20 for Perl did not validate network masks.

The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks.

Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.
Published: 2026-06-04
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from incorrect validation of network mask values in Net::CIDR::Set versions up to 0.20. Unicode digits such as Arabic‑Indic numerals and other non‑digit characters are ignored, enabling the module to accept mask values that represent larger networks than intended. Leading zeros are also treated as decimal rather than octal, causing further misinterpretation of permitted address ranges. The weakness is an instance of input validation failure (CWE‑1289) that can lead to broader than expected network scopes, potentially allowing an attacker to gain unauthorized access or influence traffic classification.

Affected Systems

The issue affects the Perl module Net::CIDR::Set provided by RRWO. Versions up to and including 0.20 are vulnerable. An upgrade to version 0.21 or later resolves the validation logic problems.

Risk and Exploitability

Because the vulnerability is limited to the interpretation of network mask values, it is mainly exploitable in contexts where an attacker can supply or influence that data, such as configuration files, scripts, or network‑related services that consume this Perl module. Although there is no EPSS score and the vulnerability is not listed in the KEV catalog, the lack of proper validation could lead to disproportionate network access if the module is used in security‑critical code. The CVSS score of 7.3 indicates a high severity. Consequently, the risk is moderate to high, and mitigations should be applied promptly.

Generated by OpenCVE AI on June 4, 2026 at 20:20 UTC.

Remediation

Vendor Solution

Upgrade to version 0.21.

OpenCVE Recommended Actions

  • Upgrade Net::CIDR::Set to version 0.21 or higher
  • Validate mask values in application code to reject non‑numeric characters and disallow leading zeros unless explicitly required
  • Monitor network‑related logs for anomalous subnet sizes that may indicate exploitation

Generated by OpenCVE AI on June 4, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.
Title Net::CIDR::Set versions through 0.20 for Perl did not validate network masks
Weaknesses CWE-1289
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-04T17:45:48.065Z

Reserved: 2026-06-02T16:06:23.069Z

Link: CVE-2026-49942

cve-icon Vulnrichment

Updated: 2026-06-04T17:41:09.267Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T17:16:33.283

Modified: 2026-06-04T19:16:30.563

Link: CVE-2026-49942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T20:30:16Z

Weaknesses