CVE-2026-49940

NameCVE-2026-49940
DescriptionNet::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libnet-cidr-set-perl (PTS)bullseye0.13-3vulnerable
bookworm0.13-4vulnerable
trixie0.15-1vulnerable
forky, sid0.22-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libnet-cidr-set-perlsource(unstable)0.21-1

Notes

[trixie] - libnet-cidr-set-perl <no-dsa> (Minor issue)
[bookworm] - libnet-cidr-set-perl <no-dsa> (Minor issue)
[bullseye] - libnet-cidr-set-perl <postponed> (Minor issue)
https://lists.security.metacpan.org/cve-announce/msg/40702749/
https://github.com/robrwo/perl-Net-CIDR-Set/commit/875010b4217afe9a61cee519f0e0250847ecf699 (0.21)
Search for package or bug name: Reporting problems