Skip to main content

Net::CIDR::Lite CVE-2026-45190

| EUVDEUVD-2026-28998 MEDIUM
Improper Validation of Unsafe Equivalence in Input (CWE-1289)
2026-05-10 CPANSec GHSA-5vf8-328m-mxj5
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Source Code Evidence Fetched
May 12, 2026 - 17:45 vuln.today
Analysis Generated
May 12, 2026 - 17:45 vuln.today
CVSS changed
May 12, 2026 - 15:22 NVD
6.5 (MEDIUM)
CVE Published
May 10, 2026 - 20:15 nvd
UNKNOWN (no severity yet)
CVE Published
May 10, 2026 - 20:15 nvd
MEDIUM 6.5

DescriptionCVE.org

Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass.

Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result.

Example:

my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a");

incorrectly returns true

See also CVE-2026-45191.

AnalysisAI

Net::CIDR::Lite Perl module versions before 0.24 fail to properly validate IP address and CIDR mask inputs, allowing attackers to bypass IP-based access control lists by supplying malformed addresses that are re-encoded differently by the parser. Inputs with trailing newlines or non-ASCII digit characters pass validation but resolve to unintended IP addresses, causing find() and bin_find() functions to incorrectly match or miss addresses. This affects network security controls that rely on CIDR matching for authorization decisions.

Technical ContextAI

Net::CIDR::Lite is a Perl module that manages IPv4 and IPv6 CIDR address ranges for efficient IP filtering and ACL operations. The vulnerability stems from insufficient input validation in regex patterns used by the IP address and CIDR mask parsers. The original code uses anchors '^' and '$' in regular expressions (e.g., /^\d+$/, /^\d{1,3}$/), which can be bypassed because they anchor at string boundaries but do not prevent embedded newlines or non-ASCII characters from passing validation. When such malformed input is processed, the parser's re-encoding logic produces a different canonical address than the input string, creating a discrepancy between what the validator approved and what is stored and matched. The fix (per GitHub commit ca9542adec87110556601d7ce48381ea8d13e692) replaces all '^' and '$' anchors with \A and \z anchors, which enforce strict string start/end matching and reject any non-ASCII or whitespace characters. This affects the _pack_ipv4() function that validates dotted-quad octets, the add() method that validates CIDR masks, and the _unpack_ipv6() function that parses IPv6 address segments. The CWE-1289 classification (Improper Validation of Specified Quantity in Input) reflects the root cause: the validators do not correctly enforce the character set and format constraints required for valid IP notation.

RemediationAI

Upgrade Net::CIDR::Lite to version 0.24 or later. For Perl environments using CPAN or local package managers, run: cpan -i Net::CIDR::Lite or execute perl -MCPAN -e 'install Net::CIDR::Lite' to fetch and install the patched version. Verify the installed version with: perl -e 'use Net::CIDR::Lite; print $Net::CIDR::Lite::VERSION' to confirm it is >= 0.24. If immediate patching is not possible, implement compensating controls: (1) Restrict input to Net::CIDR::Lite functions to ASCII alphanumeric characters and colons/dots only, rejecting any inputs containing whitespace, newlines, or extended characters before passing them to the module (trade-off: validation logic must be maintained separately and tested). (2) Use an additional, independently-written IP validation library to cross-check CIDR results before making security decisions (trade-off: performance overhead and complexity). (3) If this module is used in high-trust contexts (e.g., firewall rules), deploy network-level ACLs independently of application-level CIDR checks (defense in depth, not a workaround). The vendor advisory is available at https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692.patch and https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes.

More in Net

View all
CVE-2026-33811 HIGH POC
7.5 May 07

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali

CVE-2018-17848 HIGH POC
7.5 Oct 01

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "

CVE-2018-17847 HIGH POC
7.5 Oct 01

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading

CVE-2018-17143 HIGH POC
7.5 Sep 17

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a

CVE-2018-17142 HIGH POC
7.5 Sep 17

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "pani

CVE-2018-17075 HIGH POC
7.5 Sep 16

The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic:

CVE-2026-45491 MEDIUM POC
5.5 Jun 09

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe

CVE-2024-43498 CRITICAL
9.8 Nov 12

.NET and Visual Studio Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-36049 CRITICAL
9.8 Nov 14

.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this v

CVE-2024-57854 CRITICAL
9.1 Mar 05

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

CVE-2026-11373 CRITICAL
9.1 Jun 22

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name

CVE-2026-45591 HIGH
7.5 Jun 09

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-45190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy