CVE-2026-40199 Overview
CVE-2026-40199 is an input validation vulnerability in Net::CIDR::Lite, a Perl module used for performing CIDR (Classless Inter-Domain Routing) address manipulation. Versions before 0.23 mishandle IPv4 mapped IPv6 addresses, which may allow IP-based Access Control List (ACL) bypass.
The vulnerability exists in the _pack_ipv6() function, which incorrectly includes a sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses in the format ::ffff:x.x.x.x. This produces an 18-byte value instead of the expected 17 bytes, causing misalignment of the IPv4 portion of the address.
Critical Impact
Attackers can bypass IP-based access controls by exploiting incorrect address matching behavior, potentially gaining unauthorized access to protected resources or bypassing network security policies.
Affected Products
- Net::CIDR::Lite versions prior to 0.23 for Perl
Discovery Timeline
- 2026-04-10 - CVE-2026-40199 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-40199
Vulnerability Analysis
The root cause of this vulnerability lies in improper length handling during IPv6 address packing operations. When processing RFC 4291 compliant IPv4 mapped IPv6 addresses (formatted as ::ffff:x.x.x.x), the _pack_ipv6() function erroneously incorporates a sentinel byte originating from the _pack_ipv4() function.
This sentinel byte inclusion results in a packed address representation of 18 bytes rather than the correct 17-byte length. The length mismatch has cascading effects on subsequent operations that rely on precise byte alignment for proper address comparison and manipulation.
Root Cause
The vulnerability stems from improper buffer length calculation in the _pack_ipv6() function when handling IPv4 mapped addresses. The function fails to properly exclude the sentinel byte that _pack_ipv4() appends, leading to an off-by-one error in the packed address representation. This falls under CWE-130 (Improper Handling of Length Parameter Inconsistency).
Attack Vector
The incorrect packed address length causes two distinct failure modes:
Mask Operations Failure: When performing bitwise AND operations for CIDR mask calculations, Perl truncates to the shorter operand. This causes incorrect subnet boundary calculations when comparing addresses against CIDR ranges.
String Comparison Failure: The find() and bin_find() methods rely on Perl's string comparison operators (lt/gt) for address matching. The misaligned byte structure causes these comparisons to produce incorrect results, leading to false positives or false negatives in address lookups.
An attacker can exploit this by using valid RFC 4291 IPv4 mapped addresses to bypass IP-based ACLs. For example, an address like ::ffff:192.168.2.0 might incorrectly match against a CIDR range of ::ffff:192.168.1.0/120, granting unauthorized access to protected resources.
This vulnerability is related to CVE-2026-40198, which affects the same function but involves malformed IPv6 addresses rather than valid IPv4 mapped addresses.
Detection Methods for CVE-2026-40199
Indicators of Compromise
- Unexpected access granted to resources protected by IP-based ACLs using Net::CIDR::Lite
- Log entries showing IPv4 mapped IPv6 addresses (::ffff:x.x.x.x) accessing restricted resources
- Inconsistent IP filtering behavior when comparing applications using different CIDR parsing libraries
Detection Strategies
- Audit Perl applications for Net::CIDR::Lite module usage and verify version is 0.23 or later
- Review firewall and application logs for access attempts using IPv4 mapped IPv6 address formats
- Implement automated dependency scanning to identify vulnerable Net::CIDR::Lite installations across your environment
Monitoring Recommendations
- Enable detailed logging for IP-based access control decisions in applications using Net::CIDR::Lite
- Monitor for unusual access patterns involving IPv4 mapped IPv6 addresses in network traffic
- Set up alerts for access control bypass attempts that correlate with IPv6 address usage
How to Mitigate CVE-2026-40199
Immediate Actions Required
- Upgrade Net::CIDR::Lite to version 0.23 or later immediately
- Audit all Perl applications using Net::CIDR::Lite for IP-based access control functionality
- Review access logs for any evidence of ACL bypass attempts using IPv4 mapped IPv6 addresses
- Consider implementing defense-in-depth by adding secondary IP validation mechanisms
Patch Information
The vulnerability has been addressed in Net::CIDR::Lite version 0.23. The patch is available through the GitHub Patch Commit. Release notes and changelog are available on MetaCPAN Changes Log.
Organizations should update via CPAN:
cpan Net::CIDR::Lite
Or using cpanminus:
cpanm Net::CIDR::Lite
Workarounds
- Avoid using IPv4 mapped IPv6 addresses (::ffff:x.x.x.x) in CIDR definitions until patched
- Implement additional IP validation layers outside of Net::CIDR::Lite for critical access control decisions
- Convert IPv4 mapped IPv6 addresses to native IPv4 format before processing through Net::CIDR::Lite
# Verify installed Net::CIDR::Lite version
perl -MNet::CIDR::Lite -e 'print $Net::CIDR::Lite::VERSION, "\n"'
# Update to patched version
cpanm Net::CIDR::Lite@0.23
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
