CVE-2026-49941

Vulnerability

The Net::CIDR::Set Perl module, in versions through 0.20, fails to properly validate IP addresses passed to its add method. When addresses are not recognized as netmasks or network ranges, they are assumed to be single IP addresses and are passed back to the _encode method. If the argument is not a well-formed IP address, this leads to indefinite recursion.

Exploitation

An attacker can trigger this vulnerability by providing a malformed IP address to the add method of the Net::CIDR::Set module. This requires the attacker to be able to influence the input to the module, such as through a web application or other service that utilizes this library for IP address processing.

Impact

Successful exploitation of this vulnerability can lead to a denial of service (DoS) condition. The indefinite recursion consumes system resources, potentially causing the application or server running the vulnerable code to become unresponsive.

Mitigation

This vulnerability was fixed in Net::CIDR::Set version 0.21, released on 2026-06-02. Users are advised to upgrade to version 0.21 or later to address the issue [1].