How is CVE-2026-49941 exploited?

Network reachability (required): The attacker sends a malformed IP address over the network to any service endpoint that passes user-supplied input into Net::CIDR::Set's add method. Authentication (not-required): No credentials or session token are needed; the vulnerable code path is reachable by any unauthenticated request. Victim interaction (not-required): No user action is required; the attacker triggers the recursive loop entirely through their own network request. Attack complexity (info): The exploit is reliable and condition-free - any malformed IP address string is sufficient to trigger indefinite recursion without needing to time a race or satisfy environmental prerequisites.

What is the impact of CVE-2026-49941?

Crashes or indefinitely hangs the Perl process hosting the affected application, making it unresponsive to further requests. Any service functionality that depends on CIDR-set operations becomes unavailable for the duration of the hang or until the process is restarted. If the affected process runs inside a container without a watchdog or restart policy, downtime persists until an operator intervenes.

Back to search

HIGHCVE-2026-49941Published 2026-06-04Modified 2026-06-04CNA CPANSec

CVE-2026-49941: Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An uncontrolled recursion vulnerability in Net::CIDR::Set for Perl (versions through 0.20) allows a remote, unauthenticated attacker to trigger a denial of service. The add method fails to validate IP address input before passing it recursively to itself, meaning a malformed address string causes indefinite recursion with no termination condition. Successful exploitation crashes or hangs the affected process, making any service that relies on Net::CIDR::Set unavailable. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream advisory feeds, covering both third-party base images and custom-built images that bundle the Net::CIDR::Set Perl module. Any image containing an affected version of RRWO/Net::CIDR::Set (0.20 or earlier) will surface a finding in the relevant pipeline scan.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine escalation priority. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated release of Net::CIDR::Set is shipped. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker sends a malformed IP address over the network to any service endpoint that passes user-supplied input into Net::CIDR::Set's add method.
AuthenticationNot required
No credentials or session token are needed; the vulnerable code path is reachable by any unauthenticated request.
Victim interactionNot required
No user action is required; the attacker triggers the recursive loop entirely through their own network request.
Attack complexityDetail
The exploit is reliable and condition-free - any malformed IP address string is sufficient to trigger indefinite recursion without needing to time a race or satisfy environmental prerequisites.

Blast Radius

Crashes or indefinitely hangs the Perl process hosting the affected application, making it unresponsive to further requests.
Any service functionality that depends on CIDR-set operations becomes unavailable for the duration of the hang or until the process is restarted.
If the affected process runs inside a container without a watchdog or restart policy, downtime persists until an operator intervenes.

How HarborGuard Handles This

Available on HarborGuard: scanning for this CVE is active across customer environments, and any image containing Net::CIDR::Set 0.20 or earlier will generate a HIGH-severity finding routed according to each environment's compliance policy. Because no upstream fix has been published, HarborGuard re-evaluates the advisory on each ingest cycle. In the interim, customers can apply compensating controls by enforcing network-policy rules that restrict which callers can submit arbitrary address strings to services using Net::CIDR::Set, validating and rejecting non-conforming IP input at an ingress layer before it reaches the library, and enabling process-level restart policies so that a triggered hang does not result in prolonged downtime. When RRWO publishes a patched release, a rebuilt image will become available on HarborGuard immediately, and for customers with auto-remediation enabled, a regression-tested PR will be opened against affected workloads automatically.

See how HarborGuard automates this

Affected packages

RRWO / Net::CIDR::Set
≤ 0.20

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

metacpan.org

Metrics

Get notified