CVE-2026-40199
Received Received - Intake
IPv4-Mapped IPv6 ACL Bypass in Net::CIDR::Lite

Publication date: 2026-04-10

Last updated on: 2026-04-21

Assigner: CPANSec

Description
Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. _pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address. The wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses. Example: my $cidr = Net::CIDR::Lite->new("::ffff:192.168.1.0/120"); $cidr->find("::ffff:192.168.2.0"); # incorrectly returns true This is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x). See also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40199
EUVD
EUVD-2026-21611
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stigtsp net to 0.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves the mishandling of IPv4 mapped IPv6 addresses in Net::CIDR::Lite versions before 0.23 for Perl, which may allow IP ACL bypass. Detection would require verifying if your system or network is using a vulnerable version of Net::CIDR::Lite.

Since the issue is in Perl code handling IPv4 mapped IPv6 addresses, you can check the version of Net::CIDR::Lite installed by running the following Perl command:

  • perl -MNet::CIDR::Lite -e 'print $Net::CIDR::Lite::VERSION, "\n"'

If the version is before 0.23, your system is vulnerable. Additionally, you can test the behavior of the find() method with IPv4 mapped IPv6 addresses to see if it incorrectly returns true for addresses outside the specified range, for example by running a Perl script similar to the example in the description.

Mitigation Strategies

Immediate mitigation involves upgrading Net::CIDR::Lite to version 0.23 or later, where the handling of IPv4 mapped IPv6 addresses is corrected.

If upgrading is not immediately possible, consider reviewing and tightening your IP ACLs to avoid relying on Net::CIDR::Lite for critical access control decisions involving IPv4 mapped IPv6 addresses.

Also, audit your Perl scripts or applications that use Net::CIDR::Lite to identify and patch any logic that may be affected by this vulnerability.

Executive Summary

This vulnerability exists in Net::CIDR::Lite versions before 0.23 for Perl, where the software mishandles IPv4 mapped IPv6 addresses. Specifically, when building the packed representation of these addresses, an extra sentinel byte is included, causing the address to be 18 bytes long instead of the correct 17 bytes. This misalignment leads to incorrect results in mask operations and address lookups.

As a result, functions like find() may incorrectly match or miss addresses, allowing IP Access Control List (ACL) bypass. For example, an address outside the intended range might be incorrectly considered inside the range.

Impact Analysis

The vulnerability can allow an attacker to bypass IP-based access controls by exploiting the incorrect handling of IPv4 mapped IPv6 addresses. This means that unauthorized IP addresses might be mistakenly granted access to systems or resources that rely on Net::CIDR::Lite for IP filtering.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40199. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart