CVE-2026-45191
Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass
In short
A vulnerability in Net::CIDR::Lite allows attackers to bypass IP access controls by using padded zero characters in CIDR notation (like /00 instead of /0). This happens because the library doesn't properly validate these malformed mask values, treating them the same as legitimate ones.
Technical detail
Net::CIDR::Lite before 0.24 fails to normalize CIDR mask values with extraneous leading zeros, allowing an attacker to craft CIDR blocks with padded notation (/00, /01) that parse identically to unpadded values but may evade IP ACL validation. This enables IP-based access control bypass where blacklist or whitelist rules can be circumvented through alternative CIDR representations.
Summary generated and translated by AI from the official description.
Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass.
Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value.
See also CVE-2026-45190.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Affected products
STIGTSP · Net::CIDR::LiteWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →