CVE-2026-40198: CWE-1286 Improper Validation of Syntactic Correctness of Input in STIGTSP Net::CIDR::Lite
Net::CIDR::Lite versions before 0. 23 for Perl contain an input validation vulnerability where IPv6 addresses without compression (::) are not properly validated for having exactly 8 hex groups. This flaw allows malformed IPv6 inputs with incorrect group counts to be accepted and processed incorrectly, leading to improper internal packed value lengths. As a result, address range checks using find() may incorrectly report whether an IP address is inside or outside a specified range, potentially allowing IP ACL bypass.
AI Analysis
Technical Summary
The vulnerability in Net::CIDR::Lite prior to version 0.23 arises from improper validation of the syntactic correctness of uncompressed IPv6 addresses. The _pack_ipv6() function does not verify that uncompressed IPv6 addresses contain exactly 8 hex groups, allowing inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" to be accepted. These inputs produce packed byte strings of incorrect length, which are then used in mask and comparison operations. The find() and bin_find() functions rely on Perl string comparison on these packed values, and comparing strings of different lengths yields incorrect results. This can cause the find() method to mistakenly report an invalid IPv6 address as being within a CIDR range, effectively enabling IP ACL bypass. This issue is related to a previously fixed input validation problem (CVE-2021-47154) and is linked to CVE-2026-40199 affecting IPv4 mapped IPv6 addresses.
Potential Impact
The impact of this vulnerability is that IP address access control lists (ACLs) relying on Net::CIDR::Lite may be bypassed due to incorrect validation and comparison of IPv6 addresses. This could allow unauthorized IP addresses to be treated as authorized within network filtering or access control contexts. There is no evidence of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. There is no official fix or patch information available at this time. Users should monitor the vendor's communications for updates and consider implementing additional input validation controls externally to mitigate risk until a patch is released.
CVE-2026-40198: CWE-1286 Improper Validation of Syntactic Correctness of Input in STIGTSP Net::CIDR::Lite
Description
Net::CIDR::Lite versions before 0. 23 for Perl contain an input validation vulnerability where IPv6 addresses without compression (::) are not properly validated for having exactly 8 hex groups. This flaw allows malformed IPv6 inputs with incorrect group counts to be accepted and processed incorrectly, leading to improper internal packed value lengths. As a result, address range checks using find() may incorrectly report whether an IP address is inside or outside a specified range, potentially allowing IP ACL bypass.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Net::CIDR::Lite prior to version 0.23 arises from improper validation of the syntactic correctness of uncompressed IPv6 addresses. The _pack_ipv6() function does not verify that uncompressed IPv6 addresses contain exactly 8 hex groups, allowing inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" to be accepted. These inputs produce packed byte strings of incorrect length, which are then used in mask and comparison operations. The find() and bin_find() functions rely on Perl string comparison on these packed values, and comparing strings of different lengths yields incorrect results. This can cause the find() method to mistakenly report an invalid IPv6 address as being within a CIDR range, effectively enabling IP ACL bypass. This issue is related to a previously fixed input validation problem (CVE-2021-47154) and is linked to CVE-2026-40199 affecting IPv4 mapped IPv6 addresses.
Potential Impact
The impact of this vulnerability is that IP address access control lists (ACLs) relying on Net::CIDR::Lite may be bypassed due to incorrect validation and comparison of IPv6 addresses. This could allow unauthorized IP addresses to be treated as authorized within network filtering or access control contexts. There is no evidence of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. There is no official fix or patch information available at this time. Users should monitor the vendor's communications for updates and consider implementing additional input validation controls externally to mitigate risk until a patch is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-04-09T22:12:06.334Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9743b1cc7ad14daee266d
Added to database: 4/10/2026, 10:05:47 PM
Last enriched: 4/10/2026, 10:20:54 PM
Last updated: 4/11/2026, 12:29:41 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.