Fluid Attacks Database

Description

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	libnet-cidr-set-perl	=0.13-3 \|\| =0.13-4 \|\| =0.13-5 \|\| =0.15-1 \|\| =0.19-1 \|\| =0.20-1 \|\| =0.21-1
debian 12	libnet-cidr-set-perl	=0.13-4 \|\| =0.13-5 \|\| =0.15-1 \|\| =0.19-1 \|\| =0.20-1 \|\| =0.21-1
debian 13	libnet-cidr-set-perl	=0.15-1 \|\| =0.19-1 \|\| =0.20-1 \|\| =0.21-1
debian 14	libnet-cidr-set-perl	=0.15-1 \|\| =0.19-1 \|\| =0.20-1 \|\| =0.21-1

Aliases

1. CVE-2026-499412. NVD-2026-499413. OSV-DEBIAN-2026-499414. OSV-2026-499415. SECURITY-TRACKER-CVE-2026-49941

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.