CVE-2026-49941: Net::CIDR::Set Infinite Recursion Denial of Service
Net::CIDR::Set, a Perl library for managing IP address ranges, contains a flaw in how it parses IP addresses. When the library receives an improperly formatted IP address, instead of rejecting it, the code enters an infinite loop trying to process it. An attacker can exploit this by sending malformed input to applications using the vulnerable library, causing them to hang and become unresponsive. This is a denial-of-service vulnerability affecting versions up to and including 0.20.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-1287, CWE-674
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
Net::CIDR::Set versions through 0.20 lack proper input validation in the add method's address parsing logic. The _encode method is called to parse input; if an argument does not match expected netmask or network range patterns, it is recursively passed back to _encode as a 32-bit (IPv4) or 128-bit (IPv6) netmask. When the input is not a well-formed IP address, this recursive call chain never terminates, leading to unbounded recursion and stack exhaustion. The vulnerability is rooted in improper input validation (CWE-1287) and infinite recursion (CWE-674).
Business impact
Applications relying on Net::CIDR::Set for IP filtering, access control lists, or network range management could become unresponsive if an attacker provides crafted input. This could disrupt services dependent on the library, affecting availability for legitimate users. Organizations using this library in production environments, particularly in network security tools or firewall rule engines, should prioritize remediation to maintain service continuity.
Affected systems
Net::CIDR::Set versions 0.20 and earlier are affected. Any Perl application that imports and uses this library to parse IP addresses or network ranges is at risk. This includes custom network management tools, security scripts, and any system that accepts external input for IP address validation via this library.
Exploitability
Exploitation is straightforward and requires no authentication or special privileges. An attacker only needs to supply a malformed IP address string to any code path that calls the add method on a Net::CIDR::Set object. Since the attack vector is network-accessible and the complexity is low, this vulnerability presents a practical denial-of-service risk. No exploit code or user interaction is required.
Remediation
Upgrade Net::CIDR::Set to a patched version released after 0.20. Verify the specific patch version number against the vendor's official release notes. As a temporary mitigation, implement strict input validation on IP address arguments before passing them to Net::CIDR::Set, rejecting any input that does not conform to standard IPv4 or IPv6 notation.
Patch guidance
Check the CPAN repository or the vendor's official advisory for the current recommended version of Net::CIDR::Set. Apply the upgrade across all systems and applications that depend on this library. After patching, conduct regression testing to ensure that legitimate IP address and network range operations function correctly. Verify that the patch is compatible with your Perl version and any other dependencies.
Detection guidance
Monitor for process hangs or high CPU usage in applications using Net::CIDR::Set, particularly when handling external or untrusted input. Review application logs for repeated calls to the add method with unusual or malformed arguments. Implement network-level rate limiting to prevent an attacker from triggering multiple denial-of-service events in quick succession. Intrusion detection systems should flag attempts to pass non-standard IP address formats to services known to use this library.
Why prioritize this
With a CVSS score of 7.5 (HIGH) and a network-accessible attack vector requiring no authentication, this vulnerability poses a clear availability risk. Although it does not enable data theft or system compromise, its ease of exploitation and potential to disrupt production services warrants prompt patching. The lack of KEV designation suggests it has not yet been widely exploited in the wild, but the simplicity of the attack makes it a reasonable candidate for near-term exploitation.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects a high-severity denial-of-service vulnerability. The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates network accessibility, low attack complexity, no required privileges, no user interaction, and high impact on availability. Confidentiality and integrity are unaffected, keeping the score below critical range, but the straightforward exploitation path and unavailability impact justify the HIGH rating.
Frequently asked questions
How can I tell if my application is affected?
Check your Perl dependencies and module list for Net::CIDR::Set. If present, verify the installed version by running `perl -e 'use Net::CIDR::Set; print $Net::CIDR::Set::VERSION'`. Any version 0.20 or lower is affected. Review your code for calls to the add method that might receive external or untrusted input.
What does the infinite recursion actually do to a running process?
Each recursive call to _encode consumes stack memory. Eventually, the call stack overflows, triggering a stack exhaustion error that causes the Perl process to crash or hang indefinitely. This consumes system resources and blocks the application from responding to legitimate requests.
Can this vulnerability be exploited remotely, or only locally?
It can be exploited remotely if an application accepts external input (via a web form, API endpoint, config file, etc.) and passes it to Net::CIDR::Set without validation. The CVSS network vector confirms that remote exploitation is feasible in typical deployment scenarios.
Should I wait for a vendor patch, or implement a workaround now?
If a patched version is already available, upgrading is the preferred solution. If the patch is not yet released, implement strict input validation that rejects any string that does not match standard IPv4 (dotted-decimal) or IPv6 (colon-separated hexadecimal) notation before passing it to the add method.
This analysis is based on publicly disclosed vulnerability information and vendor advisories current as of the publication date. Version numbers, patch availability, and vendor recommendations should be verified against the official CPAN repository and vendor security advisories before deployment. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor responses. Always test patches in a non-production environment before rolling out to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46149HIGHLinux Kernel SCSI Target Memory Disclosure & DoS Vulnerability
- CVE-2024-6858MEDIUMArista EOS 802.1X Multi-Auth Bypass via Fallback VLAN EAPOL Device
- CVE-2026-40989MEDIUMSpring Cloud Function Infinite Recursion OOM Vulnerability
- CVE-2026-44740MEDIUMBilly Go Library Denial-of-Service via Input Validation Flaws
- CVE-2026-47306MEDIUMrlottie Uncontrolled Recursion Denial-of-Service Vulnerability
- CVE-2026-47320MEDIUMrlottie Memory Safety Vulnerability – Uninitialized Pointer & Recursion Flaw
- CVE-2026-47675MEDIUMHono Cookie Injection Vulnerability in sameSite and priority Parameters
- CVE-2026-47706MEDIUMStrawberry GraphQL QueryDepthLimiter Denial of Service