Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <adlu6vUp3UOxylFF@ava>
Date: Fri, 10 Apr 2026 23:44:55 +0200
From: Stig Palmquist <stig@...g.io>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-40198: Net::CIDR::Lite versions before 0.23 for Perl does
 not validate IPv6 group count, which may allow IP ACL bypass

========================================================================
CVE-2026-40198                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-40198
  Distribution:  Net-CIDR-Lite
      Versions:  before 0.23

      MetaCPAN:  https://metacpan.org/dist/Net-CIDR-Lite
      VCS Repo:  https://github.com/stigtsp/Net-CIDR-Lite


Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6
group count, which may allow IP ACL bypass

Description
-----------
Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6
group count, which may allow IP ACL bypass.

_pack_ipv6() does not check that uncompressed IPv6 addresses (without
::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or
"1:2:3:4:5:6:7" are accepted and produce packed values of wrong length
(3, 7, or 15 bytes instead of 17).

The packed values are used internally for mask and comparison
operations. find() and bin_find() use Perl string comparison (lt/gt) on
these values, and comparing strings of different lengths gives wrong
results. This can cause find() to incorrectly report an address as
inside or outside a range.

Example:

  my $cidr = Net::CIDR::Lite->new("::/8");
  $cidr->find("1:2:3");  # invalid input, incorrectly returns true

This is the same class of input validation issue as CVE-2021-47154
(IPv4 leading zeros) previously fixed in this module.

See also CVE-2026-40199, a related issue in the same function affecting
IPv4 mapped IPv6 addresses.

Problem types
-------------
- CWE-1286 Improper Validation of Syntactic Correctness of Input

Solutions
---------
Upgrade to version 0.23 or newer, or apply the patch provided.


References
----------
https://github.com/stigtsp/Net-CIDR-Lite/commit/25d65f85dbe4885959a10471725ec9d250a589c3.patch
https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.23/changes
https://www.cve.org/CVERecord?id=CVE-2026-40199

Timeline
--------
- 2026-04-09: Vulnerability found
- 2026-04-10: Net-CIDR-Lite version 0.23 released

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.