PT-2026-22248 · Net::Cidr+2 · Net::Cidr+2

Published

2021-01-01

Updated

2026-05-12

CVE-2021-4456

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Net::CIDR versions prior to 0.24

Description The software mishandles leading zeros in IP CIDR addresses, potentially leading to an unspecified impact. The addr2cidr and cidrlookup functions can return leading zeros within a CIDR string, which could be interpreted as octal numbers. This may allow an attacker to bypass IP address-based access controls. The documentation suggests using the cidrvalidate function to validate untrusted CIDR strings, but this mitigation is optional and not enforced by default. Users may call addr2cidr or cidrlookup with untrusted input without validation, incorrectly assuming it is safe.

Recommendations Versions prior to 0.24 should be updated to version 0.24 or later.

Fix

Incorrect Type Conversion or Cast

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-704

Related Identifiers

CVE-2021-4456

OPENSUSE-SU-2026:10756-1

OPENSUSE-SU-2026:20773-1

USN-8110-1

Affected Products

Linuxmint

Net::Cidr

Ubuntu

PT-2026-22248 · Net::Cidr+2 · Net::Cidr+2

CVE-2021-4456

Weakness Enumeration

Related Identifiers

Affected Products

References · 19