CVE-2026-49941

NameCVE-2026-49941
DescriptionNet::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libnet-cidr-set-perl (PTS)bullseye0.13-3vulnerable
bookworm0.13-4vulnerable
trixie0.15-1vulnerable
forky, sid0.22-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libnet-cidr-set-perlsource(unstable)0.21-1

Notes

[trixie] - libnet-cidr-set-perl <no-dsa> (Minor issue)
[bookworm] - libnet-cidr-set-perl <no-dsa> (Minor issue)
[bullseye] - libnet-cidr-set-perl <postponed> (Minor issue)
https://lists.security.metacpan.org/cve-announce/msg/40702781/
https://github.com/robrwo/perl-Net-CIDR-Set/commit/3a40b4c0d0e8ef996ccb7aee1d5f108187431c2b (0.21)
Search for package or bug name: Reporting problems