CVE-2026-40198

*** Pendiente de traducción *** Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass.<br /> <br /> _pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted and produce packed values of wrong length (3, 7, or 15 bytes instead of 17).<br /> <br /> The packed values are used internally for mask and comparison operations. find() and bin_find() use Perl string comparison (lt/gt) on these values, and comparing strings of different lengths gives wrong results. This can cause find() to incorrectly report an address as inside or outside a range.<br /> <br /> Example:<br /> <br /> my $cidr = Net::CIDR::Lite-&gt;new("::/8");<br /> $cidr-&gt;find("1:2:3"); # invalid input, incorrectly returns true<br /> <br /> This is the same class of input validation issue as CVE-2021-47154 (IPv4 leading zeros) previously fixed in this module.<br /> <br /> See also CVE-2026-40199, a related issue in the same function affecting IPv4 mapped IPv6 addresses.