CVE-2026-45191
Received Received - Intake
Net::CIDR::Lite CIDR Mask Validation Bypass

Publication date: 2026-05-10

Last updated on: 2026-05-11

Assigner: CPANSec

Description
Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass. Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value. See also CVE-2026-45190.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-11
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-45191
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1289 The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Net::CIDR::Lite versions before 0.24 for Perl. The issue is that the software does not properly handle extraneous zero characters in CIDR mask values. For example, mask forms like "/00" and "/01" are incorrectly accepted as valid and parse to the same prefix as their unpadded counterparts. This improper validation can lead to an IP Access Control List (ACL) bypass.

Impact Analysis

Because the vulnerability allows IP ACL bypass, an attacker could potentially circumvent network access restrictions that rely on CIDR mask validation. This could lead to unauthorized access to systems or resources that are supposed to be protected by IP-based ACLs.

Detection Guidance

This vulnerability involves improper validation of zero-padded CIDR mask values in Net::CIDR::Lite versions before 0.24, which may allow IP ACL bypass. Detection would involve identifying usage of vulnerable Net::CIDR::Lite versions in your Perl environment and checking for CIDR mask values with extraneous zero characters such as "/00" or "/01" in ACL configurations.

Since the vulnerability is related to parsing CIDR masks, you can search your system or network configuration files or scripts for CIDR masks with leading zeros in the mask portion.

  • Use grep or similar tools to find CIDR masks with zero-padded masks, e.g.: grep -rE '/0[0-9]+' /path/to/configs
  • Check the installed version of Net::CIDR::Lite in your Perl environment: perl -MNet::CIDR::Lite -e 'print $Net::CIDR::Lite::VERSION . "\n";'

If the version is before 0.24, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to update Net::CIDR::Lite to version 0.24 or later, which includes a patch that properly validates CIDR mask values and rejects zero-padded masks.

If updating is not immediately possible, review and sanitize all CIDR mask inputs in your ACL configurations and scripts to ensure no zero-padded masks like "/00" or "/01" are used.

Apply the patch referenced in Resource 2 if you maintain your own version of Net::CIDR::Lite.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45191. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart