CVE-2026-49940 Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks

🗓️ 04 Jun 2026 16:07:01Reported by CPANSecType

CVE-2026-49940: Net::CIDR::Set up to 0.20 accepts non-ASCII digits in IPs and netmasks, enabling larger networks.

Reporter	Title	Published	Views	Family All 14
ATTACKERKB	CVE-2026-49940	4 Jun 202616:07	–	attackerkb
CVE	CVE-2026-49940	4 Jun 202616:07	–	cve
Debian CVE	CVE-2026-49940	4 Jun 202616:07	–	debiancve
EUVD	EUVD-2026-34297	4 Jun 202616:07	–	euvd
NVD	CVE-2026-49940	4 Jun 202617:16	–	nvd
OPENSUSE Linux	perl-Net-CIDR-Set-0.210.0-1.1 on GA media (moderate)	8 Jun 202600:00	–	opensuse
OSV	DEBIAN-CVE-2026-49940	4 Jun 202617:16	–	osv
OSV	OPENSUSE-SU-2026:10951-1 perl-Net-CIDR-Set-0.210.0-1.1 on GA media	3 Jun 202600:00	–	osv
OSV	UBUNTU-CVE-2026-49940	4 Jun 202617:16	–	osv
Positive Technologies	PT-2026-46266	3 Jun 202600:00	–	ptsecurity

[
  {
    "collectionURL": "https://cpan.org/modules",
    "defaultStatus": "unaffected",
    "packageName": "Net-CIDR-Set",
    "product": "Net::CIDR::Set",
    "programRoutines": [
      {
        "name": "Net::CIDR::Set::IPv4::_pack"
      },
      {
        "name": "Net::CIDR::Set::IPv4::_encode"
      },
      {
        "name": "Net::CIDR::Set::IPv6::_pack"
      },
      {
        "name": "Net::CIDR::Set::IPv6::_pack_ipv4"
      }
    ],
    "repo": "https://github.com/robrwo/perl-Net-CIDR-Set",
    "vendor": "RRWO",
    "versions": [
      {
        "lessThanOrEqual": "0.20",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
metacpan	www.metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-40911

04 Jun 2026 16:07Current

EPSS0.00033

CWE-1289