CVE-2026-56015
Received Received - Intake

Heap Out-of-Bounds Read in Net::IP::LPM

Vulnerability report for CVE-2026-56015, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: CPANSec

Description

Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length. add() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width. addPrefixToTrie() then walks the prefix buffer by prefix_length bits, reading prefix[byte] for byte up to prefix_len/8, where prefix is the 4-byte (IPv4) or 16-byte (IPv6) packed address. A prefix length greater than 32 for IPv4 or 128 for IPv6, for example add("1.2.3.4/255", $v) or add("2001:db8::/255", $v), reads past the end of the packed address. The out-of-bounds read happens during trie construction and is bounded: the prefix length is stored as an unsigned char, so the bit walk reads at most 32 bytes from the start of the packed address, a short distance past the end of the 4-byte or 16-byte buffer. It is detectable under AddressSanitizer, valgrind, or a hardened allocator, where it can abort the process. Lookups and dump() format only the valid address width, so the out-of-bounds bytes are not exposed through the module's API.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Net::IP::LPM versions through 1.10 for Perl is a heap out-of-bounds read caused by an unbounded prefix length. Specifically, the function addPrefixToTrie() reads bits from a prefix buffer based on a prefix length without verifying if the prefix length is valid for the address size (IPv4 or IPv6). This can cause the function to read memory beyond the allocated buffer when the prefix length exceeds the address width (e.g., greater than 32 for IPv4 or 128 for IPv6).

The prefix length is stored as an unsigned char, which limits the out-of-bounds read to a short distance past the buffer, but it can still cause memory safety issues. This out-of-bounds read occurs during trie construction and can be detected by memory safety tools like AddressSanitizer or valgrind, potentially aborting the process.

A patch fixes this by adding boundary checks to ensure the prefix length is within valid ranges before processing, preventing the out-of-bounds read and integer overflow.

Impact Analysis

This vulnerability can lead to a heap out-of-bounds read, which may cause a program crash or process abort if detected by memory safety tools. While the out-of-bounds data is not exposed through the module's API, the memory safety violation can disrupt normal operation, potentially leading to denial of service.

Detection Guidance

This vulnerability can be detected by monitoring for heap out-of-bounds reads during trie construction in the Net::IP::LPM module. It is detectable under memory error detection tools such as AddressSanitizer, valgrind, or a hardened allocator, which can abort the process when the out-of-bounds read occurs.

To detect this on your system, you can run the Perl application using Net::IP::LPM under valgrind or AddressSanitizer to catch invalid memory reads. For example, using valgrind:

  • valgrind --tool=memcheck perl your_script.pl

Or if you have compiled Perl or the module with AddressSanitizer support, run:

  • ASAN_OPTIONS=detect_odr_violation=0 perl your_script.pl

These commands help detect heap out-of-bounds reads caused by invalid prefix lengths passed to the module.

Mitigation Strategies

The immediate mitigation step is to apply the patch that adds boundary checks on the prefix length before it is processed by the vulnerable function. This patch validates that the prefix length is within the valid range (0–32 for IPv4, 0–128 for IPv6) and matches the address length, preventing heap out-of-bounds reads and integer overflow.

If patching is not immediately possible, avoid passing prefix lengths greater than the valid maximums (32 for IPv4, 128 for IPv6) to the Net::IP::LPM module's add() function.

Additionally, running the application under memory error detection tools can help detect exploitation attempts and abort the process before damage occurs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56015. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart