CVE-2026-49940
Description
Net::CIDR::Set for Perl versions through 0.20 incorrectly parsed non-ASCII IP addresses and netmasks, potentially allowing larger networks than intended.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Net::CIDR::Set for Perl versions through 0.20 incorrectly parsed non-ASCII IP addresses and netmasks, potentially allowing larger networks than intended.
Vulnerability
Net::CIDR::Set versions through 0.20 for Perl accepted non-ASCII IP addresses and netmasks, such as Arabic-Indic digits. These were not properly parsed as numbers, which could lead to network masks accepting larger networks than intended.
Exploitation
An attacker could provide non-ASCII characters in IP addresses or netmasks when interacting with a system using a vulnerable version of Net::CIDR::Set. The specific steps would depend on how the application utilizes the Net::CIDR::Set module for IP address validation or network definition.
Impact
Successful exploitation could allow an attacker to bypass access controls or define network ranges that are larger than intended, potentially leading to unauthorized access to network resources or services. The exact impact depends on how the module's output is used by the application.
Mitigation
Net::CIDR::Set version 0.21, released on 2026-06-02, addresses this vulnerability by improving the strictness of IP address and netmask parsing [2]. Users are advised to upgrade to version 0.21 or later. No information is available regarding workarounds for older versions.
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=0.20
Patches
1be7d91e8446aDisallow IPv4 addresses with leading 0s in the quads
3 files changed · +5 −2
Changes+3 −0 modified@@ -1,6 +1,9 @@ Revision history for Net-CIDR-Set {{$NEXT}} + [Security] + - Disallow IPv4 addresses with a leading 0 in the quads, e.g. "010.0.0.1". + [Documentation] - Updated the current maintainer to Robert Rothenberg <rrwo@cpan.org>.
lib/Net/CIDR/Set/IPv4.pm+1 −1 modified@@ -22,7 +22,7 @@ sub _pack { my @nums = split /[.]/, shift, -1; return unless @nums == 4; for ( @nums ) { - return unless /^\d{1,3}$/ and $_ < 256; + return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ < 256; } return pack "CC*", 0, @nums; }
lib/Net/CIDR/Set/IPv6.pm+1 −1 modified@@ -22,7 +22,7 @@ sub _pack_ipv4 { my @nums = split /[.]/, shift, -1; return unless @nums == 4; for ( @nums ) { - return unless /^\d{1,3}$/ and $_ < 256; + return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ < 256; } return pack "CC*", 0, @nums; }
Vulnerability mechanics
Root cause
"The module accepted non-ASCII digits in IP addresses and netmasks, leading to improper parsing."
Attack vector
An attacker could provide IP addresses or netmasks containing non-ASCII digits, such as Arabic-Indic digits, to the Net::CIDR::Set module. The module would incorrectly parse these inputs, potentially allowing for larger network ranges than intended. This could lead to unexpected behavior or security bypasses in downstream network access control mechanisms.
Affected code
The vulnerability resides in the `_pack` subroutine within `lib/Net/CIDR/Set/IPv4.pm` and the `_pack_ipv4` subroutine within `lib/Net/CIDR/Set/IPv6.pm`. These functions are responsible for parsing and packing IP address components.
What the fix does
The patch modifies the `_pack` and `_pack_ipv4` subroutines in `lib/Net/CIDR/Set/IPv4.pm` and `lib/Net/CIDR/Set/IPv6.pm` respectively. It adds a check `!/^0\[d]{1,2}$/` to disallow IPv4 addresses with leading zeros in their octets. This prevents octal interpretation and ensures that only valid, standard IPv4 address formats are accepted, thereby mitigating the improper parsing of non-ASCII digits and larger network masks [patch_id=4825325].
Preconditions
- inputThe input must be an IP address or netmask containing non-ASCII digits.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.