CVE-2026-49940
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks
In short
Net::CIDR::Set, a Perl library for managing IP address ranges, incorrectly accepts Unicode digits (like Arabic numerals) instead of standard ASCII digits. This flaw allows attackers to bypass network restrictions by crafting IP addresses that parse differently than intended.
Technical detail
Net::CIDR::Set ≤0.20 fails to validate and properly parse non-ASCII Unicode digits in IP addresses and netmasks. An attacker can supply crafted input using characters like U+0661 (Arabic-Indic One) which are accepted but misinterpreted during parsing, resulting in incorrect CIDR range calculations and potential network access control bypass.
Summary generated and translated by AI from the official description.
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks.
Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
RRWO · Net::CIDR::SetWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →