Skip to main content

Net::IP::LPM CVE-2026-56015

| EUVDEUVD-2026-41541 CRITICAL
Out-of-bounds Read (CWE-125)
2026-07-03 9b29abf9-4ab0-4765-b253-1875cd9b441e GHSA-q2wj-rfvr-wf9p
9.1
CVSS 3.1 · Vendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Share

Severity by source

Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
5.3 MEDIUM

Over-read bytes are never exposed (C:N, I:N); only realistic effect is a bounded read that can abort the process under a hardened allocator (A:L); reachable network via a consuming app that passes untrusted prefixes, so AV:N/AC:L/PR:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e).

CVSS VectorVendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 06, 2026 - 21:32 vuln.today
CVSS changed
Jul 06, 2026 - 19:22 NVD
9.1 (CRITICAL)
CVE Published
Jul 03, 2026 - 13:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length.

add() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width.

addPrefixToTrie() then walks the prefix buffer by prefix_length bits, reading prefix[byte] for byte up to prefix_len/8, where prefix is the 4-byte (IPv4) or 16-byte (IPv6) packed address. A prefix length greater than 32 for IPv4 or 128 for IPv6, for example add("1.2.3.4/255", $v) or add("2001:db8::/255", $v), reads past the end of the packed address.

The out-of-bounds read happens during trie construction and is bounded: the prefix length is stored as an unsigned char, so the bit walk reads at most 32 bytes from the start of the packed address, a short distance past the end of the 4-byte or 16-byte buffer. It is detectable under AddressSanitizer, valgrind, or a hardened allocator, where it can abort the process. Lookups and dump() format only the valid address width, so the out-of-bounds bytes are not exposed through the module's API.

AnalysisAI

Out-of-bounds heap read in the Net::IP::LPM Perl module (all versions through 1.10) is triggered when an application passes an oversized CIDR prefix length (e.g. add("1.2.3.4/255") or a /255 IPv6 prefix) to the trie builder, which walks the packed address buffer by the attacker-supplied bit count without validating it against the 32-bit/128-bit address width. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply oversized CIDR prefix to app
Delivery
App calls add() with '/255' prefix
Exploit
Trie builder walks bits past buffer
Execution
Heap out-of-bounds read during construction
Impact
Process aborts under hardened allocator (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to call Net::IP::LPM's add() with an attacker-influenced prefix string whose prefix length exceeds the address-family width - specifically greater than /32 for IPv4 or greater than /128 for IPv6 (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application that builds a Net::IP::LPM trie from externally supplied prefix lists (for example, importing a route/ACL file or accepting CIDR strings over an API) passes an entry like "1.2.3.4/255" or "2001:db8::/255" to add(). During trie construction the module reads ~32 bytes past the packed address buffer; in a normal build this is silent, but on a hardened-allocator or ASan/valgrind build the process aborts, causing a denial of service. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the official patch published at https://security.metacpan.org/patches/N/Net-IP-LPM/1.10/CVE-2026-56015-r2.patch, or upgrade to the next Net::IP::LPM release incorporating it once published on CPAN (track the CPAN RT ticket https://rt.cpan.org/Ticket/Display.html?id=179856 and the oss-security thread https://seclists.org/oss-sec/2026/q3/16 for the tagged version). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all systems and code repositories using Net::IP::LPM (all versions ≤1.10) and identify which applications accept untrusted CIDR input. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56015 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy