CVE-2026-49941

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/06/2026
Last modified:
08/06/2026

Description

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.<br /> <br /> The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.<br /> <br /> If the argument was not a well-formed IP address, then this would lead to indefinite recursion.<br /> <br /> An attacker could use this to cause a denial of service.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:rrwo:net\:\:cidr\:\:set:*:*:*:*:*:perl:*:* 0.21 (excluding)