CVE-2026-45190: CWE-1289 Improper Validation of Unsafe Equivalence in Input in STIGTSP Net::CIDR::Lite
Net::CIDR::Lite versions before 0. 24 for Perl improperly validate IP address and CIDR mask inputs, allowing IP ACL bypass. Inputs with trailing newlines or non-ASCII digit characters pass validation but are re-encoded differently by the parser, causing find() and bin_find() functions to incorrectly match or miss addresses. This can lead to incorrect access control decisions.
AI Analysis
Technical Summary
The vulnerability in Net::CIDR::Lite (pre-0.24) arises from improper validation of IP address and CIDR mask inputs. Specifically, inputs containing trailing newline characters or non-ASCII digit characters are accepted by validators but are then re-encoded to different addresses by the parser. This discrepancy causes the find() and bin_find() methods to return incorrect results, potentially allowing IP access control list (ACL) bypass. For example, adding the CIDR "::1\n/128" and then searching for "::1a" incorrectly returns true. This issue is classified under CWE-1289 (Improper Validation of Unsafe Equivalence in Input). No CVSS score or official remediation information is currently available.
Potential Impact
The vulnerability can cause IP ACL bypass due to inconsistent validation and parsing of IP addresses and CIDR masks. This may allow unauthorized access if ACLs rely on Net::CIDR::Lite for IP matching. There are no known exploits in the wild at this time. The lack of proper input validation undermines the reliability of IP-based access controls using this library.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid using vulnerable versions of Net::CIDR::Lite or implement additional input validation to reject inputs containing trailing newlines or non-ASCII digit characters. Monitor official STIGTSP advisories for updates and patches.
CVE-2026-45190: CWE-1289 Improper Validation of Unsafe Equivalence in Input in STIGTSP Net::CIDR::Lite
Description
Net::CIDR::Lite versions before 0. 24 for Perl improperly validate IP address and CIDR mask inputs, allowing IP ACL bypass. Inputs with trailing newlines or non-ASCII digit characters pass validation but are re-encoded differently by the parser, causing find() and bin_find() functions to incorrectly match or miss addresses. This can lead to incorrect access control decisions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Net::CIDR::Lite (pre-0.24) arises from improper validation of IP address and CIDR mask inputs. Specifically, inputs containing trailing newline characters or non-ASCII digit characters are accepted by validators but are then re-encoded to different addresses by the parser. This discrepancy causes the find() and bin_find() methods to return incorrect results, potentially allowing IP access control list (ACL) bypass. For example, adding the CIDR "::1\n/128" and then searching for "::1a" incorrectly returns true. This issue is classified under CWE-1289 (Improper Validation of Unsafe Equivalence in Input). No CVSS score or official remediation information is currently available.
Potential Impact
The vulnerability can cause IP ACL bypass due to inconsistent validation and parsing of IP addresses and CIDR masks. This may allow unauthorized access if ACLs rely on Net::CIDR::Lite for IP matching. There are no known exploits in the wild at this time. The lack of proper input validation undermines the reliability of IP-based access controls using this library.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid using vulnerable versions of Net::CIDR::Lite or implement additional input validation to reject inputs containing trailing newlines or non-ASCII digit characters. Monitor official STIGTSP advisories for updates and patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-10T16:36:05.708Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a00ec48cbff5d8610db9c48
Added to database: 5/10/2026, 8:36:24 PM
Last enriched: 5/10/2026, 8:51:30 PM
Last updated: 5/10/2026, 9:38:42 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.