CVE-2026-49942

NameCVE-2026-49942
DescriptionNet::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libnet-cidr-set-perl (PTS)bullseye0.13-3vulnerable
bookworm0.13-4vulnerable
trixie0.15-1vulnerable
forky, sid0.21-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libnet-cidr-set-perlsource(unstable)0.21-1

Notes

[trixie] - libnet-cidr-set-perl <no-dsa> (Minor issue)
[bookworm] - libnet-cidr-set-perl <no-dsa> (Minor issue)
[bullseye] - libnet-cidr-set-perl <postponed> (Minor issue)
https://lists.security.metacpan.org/cve-announce/msg/40702816/
https://github.com/robrwo/perl-Net-CIDR-Set/commit/875010b4217afe9a61cee519f0e0250847ecf699 (0.21)
Search for package or bug name: Reporting problems