Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks
CVE-2026-49940

Currently unrated

Key Information:

Vendor: Rrwo
Status: Net::cidr::set
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-49940?

Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks.

Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.

Affected Version(s)

Net::CIDR::Set 0 <= 0.20

References

https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes

release-notes

https://nvd.nist.gov/vuln/detail/CVE-2025-40911

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-49940 Data

JSON

Rrwo

What is CVE-2026-49940?

Affected Version(s)

References

Timeline