Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Net::CIDR::Set versions through 0.20 for Perl did not validate network masks.
The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks.
Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.
AnalysisAI
Improper input validation in the Perl module Net::CIDR::Set through version 0.20 allows attackers to bypass network access controls by submitting network masks containing Unicode digits (e.g., Arabic-Indic numerals like U+0661) or leading zeros that are silently ignored or misinterpreted. The CVSS 7.3 score reflects low-impact compromise across confidentiality, integrity, and availability via the network, with no public exploit identified at time of analysis. Applications using this module for ACL or firewall-like decisions may grant access to wider IP ranges than intended.
Technical ContextAI
Net::CIDR::Set is a Perl CPAN module (distributed by author RRWO, CPE cpe:2.3:a:rrwo:net::cidr::set) that represents and manipulates sets of CIDR network ranges, commonly used in Perl applications for access control, IP allow/deny lists, and routing logic. The flaw maps to CWE-1289 (Improper Validation of Unsafe Equivalence in Input): the module's parser accepted mask portions containing non-ASCII Unicode digit characters or non-digit characters (silently ignoring them), and treated leading-zero masks as decimal rather than octal - both behaviors diverging from RFC and POSIX expectations for IP/CIDR notation. Because the parsed value differs from what a developer or operator visually reads, the canonical set may represent a larger or different network than intended.
RemediationAI
Vendor-released patch: Net::CIDR::Set 0.21 - upgrade via cpanm Net::CIDR::Set@0.21 or equivalent and rebuild any vendored/packaged distributions; see the release changelog at https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes and the oss-security advisory at https://seclists.org/oss-sec/2026/q2/816. Until the upgrade is rolled out, applications that accept user-supplied CIDR strings should pre-validate input with a strict ASCII regex such as /^\d{1,3}(\.\d{1,3}){3}\/\d{1,2}$/ (or the IPv6 equivalent) and reject any string containing non-ASCII codepoints or leading zeros - the trade-off is rejecting legitimate-but-unusual notations like octal-form addresses some legacy tooling emits. Operators should also review existing rule sets generated by vulnerable versions for unintentionally broadened ranges, since stored rulesets remain incorrect even after the library is patched.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: ImportantShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34299
GHSA-fff7-gx98-vr3g