CVE-2026-49942
Analyzed Analyzed - Analysis Complete
Net::CIDR::Set Perl Module Network Mask Validation Bypass

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: CPANSec

Description
Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-49942
EUVD
EUVD-2026-34299
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rrwo net to 0.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1289 The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided context and resources do not contain information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects Net::CIDR::Set versions through 0.20 for Perl, where the software did not properly validate network masks.

Specifically, the mask portion of a network mask could include Unicode digits such as the Arabic-Indic One (U+0661) or non-digit characters, which were ignored during validation. This flaw allowed network masks to accept larger networks than intended.

Additionally, leading zeros in the mask were accepted but treated as decimal numbers instead of octal, causing confusion about which networks were considered valid.

Impact Analysis

Because the network mask validation is flawed, attackers could craft network masks that bypass intended restrictions by using Unicode digits or improperly formatted masks.

This could lead to acceptance of larger or unintended network ranges, potentially allowing unauthorized access or bypassing network access controls.

Such bypasses might compromise the integrity of network-based security policies or filters that rely on accurate CIDR mask validation.

Mitigation Strategies

To mitigate this vulnerability, you should update Net::CIDR::Set to a version that properly validates network masks and does not accept invalid or confusing mask formats such as those containing Unicode digits or leading zeros treated incorrectly.

Since the vulnerability affects versions through 0.20, upgrading to a later patched version or applying available patches is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart