CVE-2026-40198
Received Received - Intake
IPv6 Input Validation Flaw in Net::CIDR::Lite Enables ACL Bypass

Publication date: 2026-04-10

Last updated on: 2026-04-21

Assigner: CPANSec

Description
Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. _pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted and produce packed values of wrong length (3, 7, or 15 bytes instead of 17). The packed values are used internally for mask and comparison operations. find() and bin_find() use Perl string comparison (lt/gt) on these values, and comparing strings of different lengths gives wrong results. This can cause find() to incorrectly report an address as inside or outside a range. Example: my $cidr = Net::CIDR::Lite->new("::/8"); $cidr->find("1:2:3"); # invalid input, incorrectly returns true This is the same class of input validation issue as CVE-2021-47154 (IPv4 leading zeros) previously fixed in this module. See also CVE-2026-40199, a related issue in the same function affecting IPv4 mapped IPv6 addresses.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-21
Generated
2026-05-07
AI Q&A
2026-04-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40198
EUVD
EUVD-2026-21609
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stigtsp net to 0.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1286 The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in Net::CIDR::Lite versions before 0.23 for Perl, where the software does not properly validate the number of groups in an IPv6 address.

Specifically, the _pack_ipv6() function fails to check that uncompressed IPv6 addresses have exactly 8 hexadecimal groups. As a result, invalid inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted and produce incorrectly sized packed values.

These incorrect packed values are then used internally for mask and comparison operations. The find() and bin_find() functions rely on Perl string comparisons on these packed values, but comparing strings of different lengths leads to incorrect results.

This can cause the find() function to mistakenly report an IP address as being inside or outside a specified range, effectively allowing IP Access Control List (ACL) bypass.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to bypass IP-based access controls by exploiting the incorrect validation of IPv6 addresses.

Because the software may incorrectly determine whether an IP address is within a permitted range, unauthorized users could gain access to restricted resources or services.

This undermines network security measures that rely on accurate IP address filtering, potentially leading to unauthorized access, data exposure, or other security breaches.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart