oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-45191: Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass

From: Stig Palmquist <stig () stig io>
Date: Sun, 10 May 2026 22:25:36 +0200
========================================================================
CVE-2026-45191                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-45191
  Distribution:  Net-CIDR-Lite
      Versions:  before 0.24

      MetaCPAN:  https://metacpan.org/dist/Net-CIDR-Lite
      VCS Repo:  https://github.com/stigtsp/Net-CIDR-Lite


Net::CIDR::Lite versions before 0.24 for Perl does not properly
consider extraneous zero characters in CIDR mask values, which may
allow IP ACL bypass

Description
-----------
Net::CIDR::Lite versions before 0.24 for Perl does not properly
consider extraneous zero characters in CIDR mask values, which may
allow IP ACL bypass.

Mask forms like "/00" and "/01" pass validation and parse to the same
prefix as their unpadded value.

See also CVE-2026-45190.

Problem types
-------------
- CWE-1289 Improper Validation of Unsafe Equivalence in Input

Solutions
---------
Upgrade to version 0.24 or newer, or apply the patch provided.


References
----------
https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c.patch
https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes
https://www.cve.org/CVERecord?id=CVE-2026-45190

Timeline
--------
- 2026-05-10: Vulnerability found
- 2026-05-10: Net-CIDR-Lite version 0.24 released
Previous By Date Next
Previous By Thread Next

Current thread: