CVE-2026-45191 PUBLISHED

Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass

Assigner: CPANSec
Reserved: 10.05.2026 Published: 10.05.2026 Updated: 10.05.2026

Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass.

Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value.

Product Status

Vendor	STIGTSP
Product	Net::CIDR::Lite
Versions	Default: unaffected affected from 0 to 0.24 (excl.)

Solutions

Upgrade to version 0.24 or newer, or apply the patch provided.

References

https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c.patch
https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes
https://www.cve.org/CVERecord?id=CVE-2026-45190

Problem Types

CWE-1289 Improper Validation of Unsafe Equivalence in Input CWE