CVE-2026-49941
Analyzed Analyzed - Analysis Complete
Recursive DoS in Net::CIDR::Set Perl Module

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: CPANSec

Description
Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-49941
EUVD
EUVD-2026-34298
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rrwo net to 0.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Net::CIDR::Set to version 0.21 or later, where the issue has been fixed.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.

Executive Summary

This vulnerability exists in Net::CIDR::Set versions through 0.20 for Perl, where the software does not properly validate IP addresses.

The add method calls the _encode method to parse addresses. If the addresses do not resemble netmasks or network ranges, they are assumed to be single IP addresses and are passed back to the method as a 32-bit or 128-bit netmask.

If the argument is not a well-formed IP address, this causes indefinite recursion, which can be exploited by an attacker.

Impact Analysis

An attacker could exploit this vulnerability to cause a denial of service (DoS) by triggering indefinite recursion in the IP address parsing function.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart