IP ACL Bypass in Net::CIDR::Lite for Perl
CVE-2026-40199

Currently unrated

Key Information:

Vendor

Stigtsp

Status
Net::cidr::lite
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40199?

The Net::CIDR::Lite module for Perl has a vulnerability that mishandles IPv4 mapped IPv6 addresses, potentially allowing an IP ACL bypass. When constructing the packed representation of IPv4 mapped addresses, the module incorrectly includes an extra byte from the IPv4 packing process, leading to misalignment. This issue results in improper outcomes during mask operations and the use of string comparisons, which can cause the 'find' and 'bin_find' methods to return incorrect results. For example, valid queries may erroneously match or fail to match due to the unexpected behavior of the address length. This vulnerability particularly affects addresses adhering to RFC 4291 IPv4 mapped address specifications.

Affected Version(s)

Net::CIDR::Lite 0 < 0.23

References

https://github.com/stigtsp/Net-CIDR-Lite/commit/b7166b1fa...
patch
https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.23/c...
release-notes
https://www.cve.org/CVERecord?id=CVE-2026-40198
related

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.