Fluid Attacks Database

Description

Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true See also CVE-2026-45191.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libnet-cidr-lite-perl	=0.22-1 \|\| =0.22-2 \|\| =0.22-3 \|\| =0.22-3~deb12u1 \|\| =0.22-3~deb13u1 \|\| =0.23-1 \|\| =0.24-1	-
debian 13	libnet-cidr-lite-perl	=0.22-2 \|\| =0.22-3 \|\| =0.22-3~deb12u1 \|\| =0.22-3~deb13u1 \|\| =0.23-1 \|\| =0.24-1	-
debian 14	libnet-cidr-lite-perl	=0.22-2 \|\| =0.22-3 \|\| =0.22-3~deb12u1 \|\| =0.22-3~deb13u1 \|\| =0.23-1 \|\| >=0 <0.24-1	0.24-1
debian 12	libnet-cidr-lite-perl	=0.22-2 \|\| =0.22-3 \|\| =0.22-3~deb12u1 \|\| =0.22-3~deb13u1 \|\| =0.23-1 \|\| =0.24-1	-
rpm rhel8	perl	-	-
rpm rhel10	perl	-	-
rpm rhel6	perl	-	-
rpm rhel7	perl	-	-
rpm rhel9	perl	-	-

Aliases

1. CVE-2026-451902. NVD-2026-451903. OSV-DEBIAN-2026-451904. OSV-2026-451905. SECURITY-TRACKER-CVE-2026-45190

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.