VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2026-45191

CVE-2026-45191

Description

Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass.

Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value.

See also CVE-2026-45190.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Net::CIDR::Lite before 0.24 accepts zero-padded CIDR mask values like /00 or /032, which may cause IP ACL bypass by parsing to an unexpected prefix.

Vulnerability

Overview

Net::CIDR::Lite versions before 0.24 for Perl contain a validation flaw in the parsing of CIDR mask values. The add() method accepts mask strings with extraneous leading zeros (e.g., /00 or /032, treating them as decimal numbers. This behavior is an incomplete fix for CVE-2021-47154, which previously addressed leading zeros only in IPv4 octets but not in the mask portion [1][2].

Attack

Surface

A remote attacker can supply a crafted CIDR notation (e.g., 192.0.2.0/00) to an application using Net::CIDR::Lite to define IP access control lists. When add() processes such a mask, it parses /00 as the same as /0, effectively matching all IP addresses (0.0.0.0/0). This causes the filter to match far more ranges than intended, potentially bypassing ACL restrictions [2].

Impact

Impact

Successful exploitation allows an attacker to circumvent IP-based access controls, gaining access to resources that should be blocked. This could lead to unauthorized network access, depending on the context of the library within the application (e.g., firewall rules, whitelists, or request routing policies).

Mitigation

Upgrade to Net::CIDR::Lite version 0.24 or later, which rejects zero-padded mask values via an updated regex in Lite.pm that only accepts masks without leading zeros [1][2]. There is no workaround short of patching; users should also review any older ACL definitions that may have been accepted with such masks.

References
  1. Changes - metacpan.org
  2. https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c.patch

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
24e2c439ec40

CVE-2026-45191: Reject zero-padded CIDR masks

https://github.com/stigtsp/Net-CIDR-LiteStig PalmquistMay 10, 2026via nvd-ref
commit
1 file changed · +3 1
  • Lite.pm+3 1 modified
    @@ -37,7 +37,9 @@ sub add {
     my ($ip, $mask) = split "/", shift;
     $self->_init($ip) || confess "Can't determine ip format" unless %$self;
     confess "Bad mask $mask"
-        unless $mask =~ /\A[0-9]+\z/ and $mask <= $self->{NBITS}-8;
+        unless defined $mask
+        and $mask =~ /\A(?:0|[1-9][0-9]*)\z/
+        and $mask <= $self->{NBITS}-8;
     $mask += 8;
     my $start = $self->{PACK}->($ip) & $self->{MASKS}[$mask]
         or confess "Bad ip address: $ip";

Vulnerability mechanics

Root cause

"The CIDR mask parser accepts zero-padded numeric strings (e.g., "/00", "/032") as valid decimal values, causing the mask to be interpreted differently than the unpadded form would be by downstream consumers."

Attack vector

An attacker can supply a CIDR notation string containing a zero-padded mask value, such as "10.0.0.0/00" or "192.168.0.0/032". The `add()` method [patch_id=424667] accepts these padded values because the regex `\A[0-9]+\z` matches any sequence of digits, including those with leading zeros. Perl's numeric comparison then interprets "00" as 0 and "032" as 32 (octal), while a textual ACL filter might treat "/00" as an invalid mask or "/032" as mask 32, creating a mismatch. An attacker can exploit this discrepancy to bypass IP ACL checks when `find()` is called on ranges that were added with padded masks.

Affected code

The vulnerability is in the `add()` method of `Lite.pm` [patch_id=424667]. The mask validation regex `\A[0-9]+\z` on line 40 accepts any sequence of digits, including zero-padded values like "00" or "032". Perl then compares the parsed numeric value against `$self->{NBITS}-8`, but the textual representation with leading zeros may be interpreted differently by downstream ACL filters.

What the fix does

The patch [patch_id=424667] tightens the mask validation regex from `\A[0-9]+\z` to `\A(?:0|[1-9][0-9]*)\z`, which rejects any mask string with leading zeros (except the single digit "0" itself). This ensures that "00", "01", "032" and similar zero-padded forms are no longer accepted. The fix also adds an explicit `defined $mask` check to handle the case where no mask is provided. By rejecting padded masks at parse time, the patch prevents the discrepancy between how `add()` interprets the mask value and how a textual filter or downstream consumer would interpret it.

Preconditions

  • inputAttacker must be able to supply a CIDR string with a zero-padded mask value (e.g., '/00', '/032') to the add() method.
  • configThe application must use Net::CIDR::Lite before version 0.24 and rely on find() for ACL decisions after adding ranges with padded masks.

Generated by deepseek/deepseek-v4-flash-20260423 on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.