Skip to main content

Net::CIDR::Set CVE-2026-49940

| EUVDEUVD-2026-34297 MEDIUM
Improper Validation of Unsafe Equivalence in Input (CWE-1289)
2026-06-04 CPANSec GHSA-hpv8-77xm-27wx
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 19:26 vuln.today
CVSS changed
Jun 04, 2026 - 18:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 04, 2026 - 16:07 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks.

Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.

AnalysisAI

Net::CIDR::Set versions through 0.20 for Perl incorrectly accepts Unicode digits in IP addresses and CIDR netmasks, enabling network access controls to silently permit broader address ranges than intended. Applications relying on this library to enforce IP-based allowlists or blocklists may inadvertently grant or deny access to incorrect network ranges when Unicode look-alike digits (e.g., Arabic-Indic U+0661 instead of ASCII '1') are supplied as input. With no public exploit identified at time of analysis and SSVC exploitation status of none, this is a medium-severity library flaw requiring patch deployment rather than emergency response, but the automatable nature of the attack vector warrants prompt remediation in access-control-sensitive deployments.

Technical ContextAI

Net::CIDR::Set is a Perl CPAN module (publisher: RRWO) for managing sets of IP network ranges expressed in CIDR notation, commonly used in access control, firewall rule management, and IP filtering logic. The vulnerability is classified under CWE-1289 (Improper Validation of Consistency within Input), meaning the library fails to enforce consistency between what characters it accepts and what it meaningfully parses. Specifically, Unicode decimal digit characters - such as the Arabic-Indic digit ONE (U+0661, visually '١') - fall within Unicode's Nd (decimal digit) character category and may pass loose regex or character-class checks, yet are not equivalent to ASCII '1' (U+0031) in numeric parsing contexts. When such characters appear in a netmask (e.g., /2٤ instead of /24), the library misinterprets the numeric value, yielding an incorrect prefix length and thus a different - potentially far larger - network range. The affected CPE is cpe:2.3:a:rrwo:net::cidr::set:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to Net::CIDR::Set version 0.21, which is the vendor-released patch as confirmed by the RRWO changelog on MetaCPAN (https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes). Using CPAN or cpanm: run 'cpan Net::CIDR::Set' or 'cpanm Net::CIDR::Set' to pull the latest release. The oss-security advisory (https://seclists.org/oss-sec/2026/q2/814) provides disclosure details. If an immediate upgrade is not possible, applications should sanitize all externally-supplied IP address and CIDR input by stripping or rejecting any non-ASCII characters before passing values to Net::CIDR::Set - for example, enforcing a strict regex such as /^[0-9a-fA-F.:/]+$/ prior to library calls. This workaround adds an input validation layer but does not fix the underlying library defect and should be treated as temporary only. Applications that accept CIDR input only from trusted internal sources (not user-supplied) have significantly reduced exposure.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-49940 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy