CVE-2026-40199: CWE-130 Improper Handling of Length Parameter Inconsistency in STIGTSP Net::CIDR::Lite
Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. _pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address. The wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses. Example: my $cidr = Net::CIDR::Lite->new("::ffff:192.168.1.0/120"); $cidr->find("::ffff:192.168.2.0"); # incorrectly returns true This is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x). See also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses.
AI Analysis
Technical Summary
CVE-2026-40199 is a vulnerability in Net::CIDR::Lite versions prior to 0.23 for Perl where the _pack_ipv6() function incorrectly includes a sentinel byte from _pack_ipv4() when packing IPv4 mapped IPv6 addresses (::ffff:x.x.x.x). This causes the packed address length to be 18 bytes instead of the expected 17, misaligning the IPv4 portion. The length discrepancy leads to incorrect results in bitwise mask operations and string comparisons used by find() and bin_find() methods, potentially causing these methods to incorrectly match or miss IP addresses. This flaw can allow IP Access Control List (ACL) bypass by misclassifying addresses.
Potential Impact
The vulnerability can lead to incorrect IP address matching in ACLs that rely on Net::CIDR::Lite for address lookups, potentially allowing unauthorized access or bypass of IP-based restrictions. The impact is limited to confidentiality and integrity as indicated by the CVSS vector (C:L/I:L/A:N). There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should be cautious when using Net::CIDR::Lite for IPv4 mapped IPv6 address handling and consider alternative libraries or additional validation to mitigate IP ACL bypass risks.
CVE-2026-40199: CWE-130 Improper Handling of Length Parameter Inconsistency in STIGTSP Net::CIDR::Lite
Description
Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. _pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address. The wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses. Example: my $cidr = Net::CIDR::Lite->new("::ffff:192.168.1.0/120"); $cidr->find("::ffff:192.168.2.0"); # incorrectly returns true This is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x). See also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40199 is a vulnerability in Net::CIDR::Lite versions prior to 0.23 for Perl where the _pack_ipv6() function incorrectly includes a sentinel byte from _pack_ipv4() when packing IPv4 mapped IPv6 addresses (::ffff:x.x.x.x). This causes the packed address length to be 18 bytes instead of the expected 17, misaligning the IPv4 portion. The length discrepancy leads to incorrect results in bitwise mask operations and string comparisons used by find() and bin_find() methods, potentially causing these methods to incorrectly match or miss IP addresses. This flaw can allow IP Access Control List (ACL) bypass by misclassifying addresses.
Potential Impact
The vulnerability can lead to incorrect IP address matching in ACLs that rely on Net::CIDR::Lite for address lookups, potentially allowing unauthorized access or bypass of IP-based restrictions. The impact is limited to confidentiality and integrity as indicated by the CVSS vector (C:L/I:L/A:N). There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should be cautious when using Net::CIDR::Lite for IPv4 mapped IPv6 address handling and consider alternative libraries or additional validation to mitigate IP ACL bypass risks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-04-09T22:12:06.334Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9743b1cc7ad14daee2672
Added to database: 4/10/2026, 10:05:47 PM
Last enriched: 4/18/2026, 2:44:00 PM
Last updated: 5/26/2026, 1:31:02 AM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.