CVE-2026-49941

HIGH 7.5

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.

CWE	CWE-1287 CWE-674
Vendor	rrwo
Product	net::cidr::set
Published	Jun 4, 2026
Last Updated	Jun 4, 2026

Stay Ahead of the Next One

Get instant alerts for rrwo net::cidr::set

Be the first to know when new high vulnerabilities affecting rrwo net::cidr::set are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

RRWO / Net::CIDR::Set

0 ≤ 0.20

References

NVD ↗ CVE.org ↗ EPSS Data ↗

metacpan.org: https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes openwall.com: http://www.openwall.com/lists/oss-security/2026/06/04/11