CVE-2026-45190: CWE-1289 Improper Validation of Unsafe Equivalence in Input in STIGTSP Net::CIDR::Lite
Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled.find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true See also CVE-2026-45191.
AI Analysis
Technical Summary
The vulnerability in Net::CIDR::Lite (pre-0.24) arises from improper validation of IP address and CIDR mask inputs. Specifically, inputs containing trailing newline characters or non-ASCII digits bypass the validator but are then re-encoded to different addresses internally. This discrepancy causes the find() and bin_find() functions to return incorrect results, potentially allowing IP ACL bypass. The issue is tracked as CWE-1289 (Improper Validation of Unsafe Equivalence in Input) and has a CVSS 3.1 base score of 6.5, indicating a medium severity level.
Potential Impact
An attacker can craft IP address inputs that appear valid to the validator but are interpreted differently by the parser, leading to incorrect access control list (ACL) enforcement. This may allow unauthorized access by bypassing IP-based restrictions. There is no indication of confidentiality loss, but integrity and availability impacts are possible due to ACL bypass. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid relying solely on Net::CIDR::Lite versions before 0.24 for IP ACL enforcement or implement additional input validation to reject inputs with trailing newlines or non-ASCII digit characters.
CVE-2026-45190: CWE-1289 Improper Validation of Unsafe Equivalence in Input in STIGTSP Net::CIDR::Lite
Description
Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled.find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true See also CVE-2026-45191.
CVSS v3.1
Score 6.5medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Net::CIDR::Lite (pre-0.24) arises from improper validation of IP address and CIDR mask inputs. Specifically, inputs containing trailing newline characters or non-ASCII digits bypass the validator but are then re-encoded to different addresses internally. This discrepancy causes the find() and bin_find() functions to return incorrect results, potentially allowing IP ACL bypass. The issue is tracked as CWE-1289 (Improper Validation of Unsafe Equivalence in Input) and has a CVSS 3.1 base score of 6.5, indicating a medium severity level.
Potential Impact
An attacker can craft IP address inputs that appear valid to the validator but are interpreted differently by the parser, leading to incorrect access control list (ACL) enforcement. This may allow unauthorized access by bypassing IP-based restrictions. There is no indication of confidentiality loss, but integrity and availability impacts are possible due to ACL bypass. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid relying solely on Net::CIDR::Lite versions before 0.24 for IP ACL enforcement or implement additional input validation to reject inputs with trailing newlines or non-ASCII digit characters.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-10T16:36:05.708Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a00ec48cbff5d8610db9c48
Added to database: 5/10/2026, 8:36:24 PM
Last enriched: 5/18/2026, 10:03:48 AM
Last updated: 6/18/2026, 5:08:45 AM
Views: 103
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.