Description
Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length.

add() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width.

addPrefixToTrie() then walks the prefix buffer by prefix_length bits, reading prefix[byte] for byte up to prefix_len/8, where prefix is the 4-byte (IPv4) or 16-byte (IPv6) packed address. A prefix length greater than 32 for IPv4 or 128 for IPv6, for example add("1.2.3.4/255", $v) or add("2001:db8::/255", $v), reads past the end of the packed address.

The out-of-bounds read happens during trie construction and is bounded: the prefix length is stored as an unsigned char, so the bit walk reads at most 32 bytes from the start of the packed address, a short distance past the end of the 4-byte or 16-byte buffer. It is detectable under AddressSanitizer, valgrind, or a hardened allocator, where it can abort the process. Lookups and dump() format only the valid address width, so the out-of-bounds bytes are not exposed through the module's API.
Published: 2026-07-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Net::IP::LPM Perl module reads a prefix string into a fixed‑size buffer without checking that the supplied prefix length is within the bounds of the address width. When add() is called with a prefix length larger than 32 for IPv4 or 128 for IPv6, the trie builder walks past the end of the packed address and performs an out‑of‑bounds read of up to 32 bytes. The read does not return data that is used by the module’s public API, but the operation can trigger an abort in hardened allocators or sanitizers, leading to a denial‑of‑service or process termination. The weakness corresponds to CWE‑125.

Affected Systems

The vulnerability afflicts TPODER’s Net::IP::LPM module, versions 1.10 and earlier. Any Perl application that imports this module and calls add() with an unbounded prefix length—from input supplied by an external user or another component—creates a path to the flaw. The issue is limited to the module’s add() functionality and affects only the internal construction of the routing trie.

Risk and Exploitability

Because the flaw is triggered by a plainly visible API call with a user‑supplied prefix length, it is relatively easy for an attacker who can influence that call to exploit the issue and crash the process. No exploit code is required beyond passing a malformed prefix string. The EPSS score is not available and the CVE is not listed in CISA’s KEV catalog, but due to the potential for immediate denial of service the risk remains high in environments that import the affected module. The CVSS score is not provided in the data, but the impact is significant enough that mitigation should take priority.

Generated by OpenCVE AI on July 3, 2026 at 17:12 UTC.

Remediation

Vendor Workaround

Apply the patch. Otherwise, reject prefix lengths greater than 32 (IPv4) or 128 (IPv6) before passing them to add().


OpenCVE Recommended Actions

  • Apply the patch supplied by the module maintainers: https://security.metacpan.org/patches/N/Net-IP-LPM/1.10/CVE-2026-56015-r2.patch
  • Upgrade to a version of Net::IP::LPM newer than 1.10 that validates prefix lengths against the address width before calling add()
  • Implement input validation to reject any prefix length greater than 32 for IPv4 or 128 for IPv6 before it reaches the add() routine

Generated by OpenCVE AI on July 3, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
Description Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length. add() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width. addPrefixToTrie() then walks the prefix buffer by prefix_length bits, reading prefix[byte] for byte up to prefix_len/8, where prefix is the 4-byte (IPv4) or 16-byte (IPv6) packed address. A prefix length greater than 32 for IPv4 or 128 for IPv6, for example add("1.2.3.4/255", $v) or add("2001:db8::/255", $v), reads past the end of the packed address. The out-of-bounds read happens during trie construction and is bounded: the prefix length is stored as an unsigned char, so the bit walk reads at most 32 bytes from the start of the packed address, a short distance past the end of the 4-byte or 16-byte buffer. It is detectable under AddressSanitizer, valgrind, or a hardened allocator, where it can abort the process. Lookups and dump() format only the valid address width, so the out-of-bounds bytes are not exposed through the module's API.
Title Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length
Weaknesses CWE-125
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-03T16:31:29.386Z

Reserved: 2026-06-18T11:27:09.117Z

Link: CVE-2026-56015

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T17:15:04Z

Weaknesses