VYPR
← All advisories
High severity7.3NVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-49942

CVE-2026-49942

Description

Net::CIDR::Set for Perl versions through 0.20 allowed invalid network masks, potentially enabling larger networks or IP ACL bypass.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Net::CIDR::Set for Perl versions through 0.20 allowed invalid network masks, potentially enabling larger networks or IP ACL bypass.

Vulnerability

Net::CIDR::Set versions through 0.20 for Perl did not properly validate network masks. The mask portion could accept Unicode digits or non-digits, which were ignored, and leading zeros were accepted but treated as decimal instead of octal. This allowed for larger networks than intended and potential confusion regarding acceptable network ranges.

Exploitation

An attacker could craft a network mask containing invalid characters or leading zeros. When processed by the vulnerable Net::CIDR::Set module, these masks would be parsed to represent a larger network range than intended, potentially bypassing access control lists (ACLs) that rely on IP address validation. This could be achieved by exploiting the module's lenient parsing of mask values like /00 or /01 [2].

Impact

Successful exploitation could allow an attacker to bypass IP-based access controls, potentially gaining unauthorized access to resources or services. The vulnerability could also lead to confusion in network configurations, making it difficult to determine which networks are truly acceptable, and could allow for the acceptance of larger networks than intended.

Mitigation

Net::CIDR::Set version 0.21, released on 2026-06-02, addresses this vulnerability by improving the strictness of netmask parsing [3]. Users should upgrade to version 0.21 or later. No workarounds are specified in the available references if upgrading is not immediately possible.

References
  1. NVD - CVE-2026-45191
  2. Changes - metacpan.org

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
be7d91e8446a

Disallow IPv4 addresses with leading 0s in the quads

https://github.com/robrwo/perl-net-cidr-setRobert RothenbergMay 27, 2025via body-scan
commit
3 files changed · +5 2
  • Changes+3 0 modified
    @@ -1,6 +1,9 @@
 Revision history for Net-CIDR-Set
 
 {{$NEXT}}
+  [Security]
+  - Disallow IPv4 addresses with a leading 0 in the quads, e.g. "010.0.0.1".
+
   [Documentation]
   - Updated the current maintainer to Robert Rothenberg <rrwo@cpan.org>.
  • lib/Net/CIDR/Set/IPv4.pm+1 1 modified
    @@ -22,7 +22,7 @@ sub _pack {
   my @nums = split /[.]/, shift, -1;
   return unless @nums == 4;
   for ( @nums ) {
-    return unless /^\d{1,3}$/ and $_ < 256;
+    return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ < 256;
   }
   return pack "CC*", 0, @nums;
 }
  • lib/Net/CIDR/Set/IPv6.pm+1 1 modified
    @@ -22,7 +22,7 @@ sub _pack_ipv4 {
   my @nums = split /[.]/, shift, -1;
   return unless @nums == 4;
   for ( @nums ) {
-    return unless /^\d{1,3}$/ and $_ < 256;
+    return unless /^\d{1,3}$/ and !/^0\d{1,2}$/ and $_ < 256;
   }
   return pack "CC*", 0, @nums;
 }

Vulnerability mechanics

Root cause

"The module did not properly validate network masks, allowing non-standard characters and leading zeros."

Attack vector

An attacker could provide a network mask containing Unicode digits or non-digit characters, which would be ignored by the module. Additionally, leading zeros in octets were accepted and misinterpreted as octal values. This could lead to the module accepting larger or unintended networks than specified, potentially bypassing security controls that rely on accurate network mask validation [patch_id=4825326].

Affected code

The vulnerability exists in the `lib/Net/CIDR/Set/IPv4.pm` and `lib/Net/CIDR/Set/IPv6.pm` files within the `_pack` and `_pack_ipv4` subroutines, respectively. The regular expression used to validate octets was modified to include a check for leading zeros (`!/^0\[d]{1,2}$/`).

What the fix does

The patch modifies the `_pack` and `_pack_ipv4` subroutines to disallow IPv4 addresses with leading zeros in their octets, such as '010.0.0.1' [patch_id=4825326]. This change prevents the misinterpretation of octal values and ensures that only valid decimal representations of octets are accepted, thereby fixing the vulnerability.

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.