CVE-2026-40199

Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass.<br /> <br /> _pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address.<br /> <br /> The wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses.<br /> <br /> Example:<br /> <br /> my $cidr = Net::CIDR::Lite-&gt;new("::ffff:192.168.1.0/120");<br /> $cidr-&gt;find("::ffff:192.168.2.0"); # incorrectly returns true<br /> <br /> This is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x).<br /> <br /> See also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses.