Input Validation Issue in Net::CIDR::Lite for Perl
CVE-2026-40198

7.5HIGH

Key Information:

Vendor: Stigtsp
Status: Net::cidr::lite
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-40198?

The Net::CIDR::Lite library for Perl has a flaw that allows for improper validation of uncompressed IPv6 addresses. Specifically, versions prior to 0.23 do not ensure that these addresses contain exactly 8 hex groups, leading to possible IP Access Control List (ACL) bypasses. Invalid inputs such as 'abcd' or '1:2:3' can yield incorrect packed values, resulting in erroneous comparison outcomes during mask and range operations. This vulnerability highlights the need for robust input validation practices in the handling of IP addresses.

Affected Version(s)

Net::CIDR::Lite 0 < 0.23

References

https://github.com/stigtsp/Net-CIDR-Lite/commit/25d65f85d...

patch

https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.23/c...

release-notes

https://www.cve.org/CVERecord?id=CVE-2026-40199

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40198 Data

JSON

Stigtsp

What is CVE-2026-40198?

Affected Version(s)

References

CVSS V3.1

Timeline