Skip to main content

Net::CIDR::Set EUVDEUVD-2026-34298

| CVE-2026-49941 HIGH
Improper Validation of Specified Type of Input (CWE-1287)
2026-06-04 CPANSec GHSA-wvxw-q92g-9ghf
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.5
Analysis Generated
Jun 04, 2026 - 19:23 vuln.today
CVSS changed
Jun 04, 2026 - 19:22 NVD
7.5 (HIGH)
CVE Published
Jun 04, 2026 - 16:07 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.

The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.

If the argument was not a well-formed IP address, then this would lead to indefinite recursion.

An attacker could use this to cause a denial of service.

AnalysisAI

Denial of service in the Perl module Net::CIDR::Set through version 0.20 allows remote unauthenticated attackers to trigger indefinite recursion by submitting malformed IP address strings to the add() method. The flaw stems from missing input validation when parsing addresses, causing the parser to re-enter itself without a termination condition. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Perl service accepting IP input
Delivery
Submit malformed IP string
Exploit
add() invokes _encode()
Install
_encode() recurses without termination
C2
Perl worker stack exhausts and crashes
Execute
Repeat to saturate worker pool
Impact
Service-wide denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application calls Net::CIDR::Set->add() (or another method that funnels through _encode()) on attacker-controlled string input without first validating that the string is a well-formed IPv4 or IPv6 address or CIDR range; any malformed string that fails the internal netmask and range regex checks will trigger the indefinite recursion. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H yields 7.5 (High) and accurately captures the impact profile: network-reachable, no authentication, low complexity, availability-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a web endpoint that accepts an IP or CIDR string (for example an allowlist form, abuse-report API, or firewall management UI) backed by a Perl service using Net::CIDR::Set. They submit a malformed value such as 'notanip' or '999.999.999.999'; the add() method recurses indefinitely, exhausts the worker stack, and the request handler dies. …
Remediation Upgrade to Net::CIDR::Set 0.21 or later from CPAN (vendor-released patch: 0.21), which adds proper IP address validation in _encode() before recursing; the release notes are at https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes and the coordination advisory is at https://seclists.org/oss-sec/2026/q2/815. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Net

View all
CVE-2026-33811 HIGH POC
7.5 May 07

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali

CVE-2026-45491 MEDIUM POC
5.5 Jun 09

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe

CVE-2024-57854 CRITICAL
9.1 Mar 05

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

CVE-2026-11373 CRITICAL
9.1 Jun 22

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name

CVE-2026-45591 HIGH
7.5 Jun 09

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru

CVE-2026-45490 HIGH
7.8 Jun 09

Local privilege escalation in Microsoft .NET allows an authenticated low-privileged user to elevate to higher privileges

CVE-2025-26646 HIGH
8.0 May 13

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized att

CVE-2026-40198 HIGH
7.5 Apr 10

IPv6 address validation bypass in Net::CIDR::Lite for Perl (versions <0.23) allows remote attackers to circumvent IP acc

CVE-2026-57081 HIGH
7.5 Jun 30

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecod

CVE-2026-57080 HIGH
7.5 Jun 30

Remote memory exhaustion in the Net::BitTorrent Perl module (all versions through 2.0.1) lets any unauthenticated peer i

CVE-2026-45190 MEDIUM
6.5 May 10

Net::CIDR::Lite Perl module versions before 0.24 fail to properly validate IP address and CIDR mask inputs, allowing att

CVE-2026-8722 MEDIUM
6.5 Jun 03

Metric name injection in Net::Async::Statsd::Client (Perl, versions through 0.005) allows network-reachable, unauthentic

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy