CVE-2026-40199
IPv4-Mapped IPv6 ACL Bypass in Net::CIDR::Lite
Publication date: 2026-04-10
Last updated on: 2026-04-21
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stigtsp | net | to 0.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-130 | The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Net::CIDR::Lite versions before 0.23 for Perl, where the software mishandles IPv4 mapped IPv6 addresses. Specifically, when building the packed representation of these addresses, an extra sentinel byte is included, causing the address to be 18 bytes long instead of the correct 17 bytes. This misalignment leads to incorrect results in mask operations and address lookups.
As a result, functions like find() may incorrectly match or miss addresses, allowing IP Access Control List (ACL) bypass. For example, an address outside the intended range might be incorrectly considered inside the range.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the mishandling of IPv4 mapped IPv6 addresses in Net::CIDR::Lite versions before 0.23 for Perl, which may allow IP ACL bypass. Detection would require verifying if your system or network is using a vulnerable version of Net::CIDR::Lite.
Since the issue is in Perl code handling IPv4 mapped IPv6 addresses, you can check the version of Net::CIDR::Lite installed by running the following Perl command:
- perl -MNet::CIDR::Lite -e 'print $Net::CIDR::Lite::VERSION, "\n"'
If the version is before 0.23, your system is vulnerable. Additionally, you can test the behavior of the find() method with IPv4 mapped IPv6 addresses to see if it incorrectly returns true for addresses outside the specified range, for example by running a Perl script similar to the example in the description.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves upgrading Net::CIDR::Lite to version 0.23 or later, where the handling of IPv4 mapped IPv6 addresses is corrected.
If upgrading is not immediately possible, consider reviewing and tightening your IP ACLs to avoid relying on Net::CIDR::Lite for critical access control decisions involving IPv4 mapped IPv6 addresses.
Also, audit your Perl scripts or applications that use Net::CIDR::Lite to identify and patch any logic that may be affected by this vulnerability.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to bypass IP-based access controls by exploiting the incorrect handling of IPv4 mapped IPv6 addresses. This means that unauthorized IP addresses might be mistakenly granted access to systems or resources that rely on Net::CIDR::Lite for IP filtering.