VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2026-45190

CVE-2026-45190

Description

Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass.

Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result.

Example:

my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true

See also CVE-2026-45191.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Input validation flaws in Net::Net::CIDR::Lite before 0.24 accepts Unicode digits and trailing newlines in IP/CIDR masks, enabling ACL bypass via find()/bin_find().

Net::CIDR::Lite versions before 0.24 contain an input validation flaw where the parser uses regex patterns that inadvertently accept Unicode digit characters (\d matches any Unicode Nd category digit) and trailing newlines (the /^...$/ anchor matches before a trailing \n). [2]). This allows specially crafted IP addresses or CIDR masks to pass the validator but then be added to the filter set, but the internal pack and numeric operations re-encode the input to a different address than what the string spelled [1].

An attacker can exploit this by sending an IP ACL rule containing input such as "::1\n/128", which is accepted, but then find("::1a") incorrectly returns true because the trailing newline causes re-encoding to a different address [1]. Similarly, non-ASCII digit characters can cause the parser to misinterpret a legitimate address range, leading to either false matches or missed matches in ACL lookups. No authentication is required if the attacker can supply a crafted filter entry or if the application uses user-supplied CIDR input.

A successful bypass could allow unintended network access or denial of service if IP ACL protections are relied upon for security boundaries. The worst-case an attacker might gain access to restricted resources or exfiltrate data from a protected network segment.

The vendor has addressed the issue in version 0.24 (2026-05-10) by replacing \d with [0-9] and using \A...\z anchors to reject Unicode digits and trailing newlines [1][2]. Users should upgrade to this version immediately; no workaround is available beyond auditing any CIDR inputs.

References
  1. Changes - metacpan.org
  2. https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692.patch

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
ca9542adec87

CVE-2026-45190: Reject Unicode digits and trailing newlines in parsers

https://github.com/stigtsp/Net-CIDR-LiteStig PalmquistMay 10, 2026via nvd-ref
commit
1 file changed · +6 6
  • Lite.pm+6 6 modified
    @@ -37,7 +37,7 @@ sub add {
     my ($ip, $mask) = split "/", shift;
     $self->_init($ip) || confess "Can't determine ip format" unless %$self;
     confess "Bad mask $mask"
-        unless $mask =~ /^\d+$/ and $mask <= $self->{NBITS}-8;
+        unless $mask =~ /\A[0-9]+\z/ and $mask <= $self->{NBITS}-8;
     $mask += 8;
     my $start = $self->{PACK}->($ip) & $self->{MASKS}[$mask]
         or confess "Bad ip address: $ip";
@@ -181,7 +181,7 @@ sub _pack_ipv4 {
     my @nums = split /\./, shift(), -1;
     return unless @nums == 4;
     for (@nums) {
-        return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ <= 255;
+        return unless /\A[0-9]{1,3}\z/ and !/\A0[0-9]{1,2}\z/ and $_ <= 255;
     }
     pack("CC*", 0, @nums);
 }
@@ -192,15 +192,15 @@ sub _unpack_ipv4 {
 
 sub _pack_ipv6 {
     my $ip = shift;
-    $ip =~ s/^::$/::0/;
-    return if $ip =~ /^:/ and $ip !~ s/^::/:/;
-    return if $ip =~ /:$/ and $ip !~ s/::$/:/;
+    $ip =~ s/\A::\z/::0/;
+    return if $ip =~ /\A:/ and $ip !~ s/\A::/:/;
+    return if $ip =~ /:\z/ and $ip !~ s/::\z/:/;
     my @nums = split /:/, $ip, -1;
     return unless @nums <= 8;
     my ($empty, $ipv4, $str) = (0,'','');
     for (@nums) {
         return if $ipv4;
-        $str .= "0" x (4-length) . $_, next if /^[a-fA-F\d]{1,4}$/;
+        $str .= "0" x (4-length) . $_, next if /\A[a-fA-F0-9]{1,4}\z/;
         do { return if $empty++ }, $str .= "X", next if $_ eq '';
         next if $ipv4 = _pack_ipv4($_);
         return;

Vulnerability mechanics

Root cause

"The parser regexes use \d (which matches Unicode digit characters beyond ASCII 0-9) and /^...$/ anchors (which permit a trailing newline), allowing malformed inputs to pass validation and then be re-encoded to a different IP address than intended."

Attack vector

An attacker can supply an IP address or CIDR mask containing a trailing newline character or non-ASCII Unicode digits (e.g., "::1\n/128" or addresses using Unicode digit characters). These inputs pass the validator checks because \d matches Unicode Nd category digits and /^...$/ matches before a trailing "\n". The parser then re-encodes the input to a different address than the original string spelled, causing find() and bin_find() to match or miss addresses incorrectly. This can lead to IP ACL bypass when the attacker's actual address is not blocked by the intended rule [CWE-1289].

Affected code

The vulnerable code is in Lite.pm, specifically in the add() method's mask validation regex, _pack_ipv4()'s octet validation regexes, and _pack_ipv6()'s hex group validation regex. All use \d (which matches Unicode digits) and /^...$/ anchors (which allow trailing newlines) [patch_id=424668].

What the fix does

The patch replaces \d with [0-9] in all regexes so that only ASCII digit characters are accepted, rejecting Unicode digit characters from the Nd category. It also changes the /^...$/ anchors to /\A...\z/ anchors, which prevents a trailing newline from being accepted before the end-of-string. These changes ensure that the input string validated by the regexes is exactly the same string that gets parsed and packed, closing the discrepancy that allowed ACL bypass [patch_id=424668].

Preconditions

  • inputAttacker must supply an IP address or CIDR mask containing a trailing newline character or non-ASCII Unicode digit characters to the add() method.
  • networkThe attacker's actual IP address must be different from the one the parser re-encodes from the malformed input.

Generated by deepseek/deepseek-v4-flash-20260423 on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.