CVE-2026-49941

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit net...

high 7.5 CVSS 3.1
Published: Jun 4, 2026
Modified: Jun 8, 2026
Vendor: Rrwo
Product: Net\
Versions: \

Description

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.

The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.

If the argument was not a well-formed IP address, then this would lead to indefinite recursion.

An attacker could use this to cause a denial of service.

References

Related CVEs

CVE-2026-49940 medium · 6.5
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parse
CVE-2026-49942 high · 7.3
Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661)
CVE-2026-46739 medium · 5.3
Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could i
CVE-2026-8722 medium · 6.5
Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untruste
CVE-2025-15638 critical · 10.0
Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. Thes
CVE-2022-38013 high · 7.5
.NET Core and Visual Studio Denial of Service Vulnerability