CVE-2026-40199

Name of the Vulnerable Software and Affected Versions Net::CIDR::Lite versions prior to 0.23

Description Net::CIDR::Lite versions before 0.23 for Perl incorrectly handles IPv4 mapped IPv6 addresses, potentially allowing IP ACL bypass. The pack ipv6() function includes a sentinel byte from pack ipv4() when creating the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1, resulting in an incorrect length of 18 bytes instead of 17. This length mismatch causes issues in mask operations and address matching within the find() and bin find() functions, potentially leading to incorrect matches or misses. This is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x).

Recommendations Update Net::CIDR::Lite to version 0.23 or later.