Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.
The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.
If the argument was not a well-formed IP address, then this would lead to indefinite recursion.
An attacker could use this to cause a denial of service.
AnalysisAI
Denial of service in the Perl module Net::CIDR::Set through version 0.20 allows remote unauthenticated attackers to trigger indefinite recursion by submitting malformed IP address strings to the add() method. The flaw stems from missing input validation when parsing addresses, causing the parser to re-enter itself without a termination condition. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application calls Net::CIDR::Set->add() (or another method that funnels through _encode()) on attacker-controlled string input without first validating that the string is a well-formed IPv4 or IPv6 address or CIDR range; any malformed string that fails the internal netmask and range regex checks will trigger the indefinite recursion. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H yields 7.5 (High) and accurately captures the impact profile: network-reachable, no authentication, low complexity, availability-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a web endpoint that accepts an IP or CIDR string (for example an allowlist form, abuse-report API, or firewall management UI) backed by a Perl service using Net::CIDR::Set. They submit a malformed value such as 'notanip' or '999.999.999.999'; the add() method recurses indefinitely, exhausts the worker stack, and the request handler dies. … |
| Remediation | Upgrade to Net::CIDR::Set 0.21 or later from CPAN (vendor-released patch: 0.21), which adds proper IP address validation in _encode() before recursing; the release notes are at https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes and the coordination advisory is at https://seclists.org/oss-sec/2026/q2/815. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali
Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe
Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.
Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name
Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru
Local privilege escalation in Microsoft .NET allows an authenticated low-privileged user to elevate to higher privileges
External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized att
IPv6 address validation bypass in Net::CIDR::Lite for Perl (versions <0.23) allows remote attackers to circumvent IP acc
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecod
Remote memory exhaustion in the Net::BitTorrent Perl module (all versions through 2.0.1) lets any unauthenticated peer i
Net::CIDR::Lite Perl module versions before 0.24 fail to properly validate IP address and CIDR mask inputs, allowing att
Metric name injection in Net::Async::Statsd::Client (Perl, versions through 0.005) allows network-reachable, unauthentic
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34298
GHSA-wvxw-q92g-9ghf