CVE-2026-40198

High

Published: 10 April 2026

Published

10 April 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0005 14.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40198 is a high-severity Improper Validation of Syntactic Correctness of Input (CWE-1286) vulnerability in Stigtsp Net\. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of IPv6 address inputs to reject malformed uncompressed addresses lacking exactly eight hex groups, preventing ACL bypass.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of flaws like the _pack_ipv6() validation failure in Net::CIDR::Lite versions before 0.23.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning detects CVE-2026-40198 in Perl module dependencies used for IP ACLs, enabling remediation before exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The input validation flaw in Net::CIDR::Lite enables remote unauthenticated attackers to supply crafted IPv6 addresses that bypass IP ACLs and range checks in dependent applications, directly facilitating exploitation of public-facing applications for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. _pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are…

accepted and produce packed values of wrong length (3, 7, or 15 bytes instead of 17). The packed values are used internally for mask and comparison operations. find() and bin_find() use Perl string comparison (lt/gt) on these values, and comparing strings of different lengths gives wrong results. This can cause find() to incorrectly report an address as inside or outside a range. Example: my $cidr = Net::CIDR::Lite->new("::/8"); $cidr->find("1:2:3"); # invalid input, incorrectly returns true This is the same class of input validation issue as CVE-2021-47154 (IPv4 leading zeros) previously fixed in this module. See also CVE-2026-40199, a related issue in the same function affecting IPv4 mapped IPv6 addresses.

Deeper analysisAI

CVE-2026-40198 is an input validation flaw in Net::CIDR::Lite, a Perl module for handling CIDR IP address ranges, affecting versions prior to 0.23. The vulnerability resides in the _pack_ipv6() function, which fails to verify that uncompressed IPv6 addresses (lacking :: abbreviation) contain exactly eight hexadecimal groups. Malformed inputs such as "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted, resulting in incorrectly packed binary values of improper lengths (e.g., 3, 7, or 15 bytes instead of the expected 17 bytes). These erroneous packed values propagate to mask and comparison operations in find() and bin_find(), where Perl's string comparison (lt/gt) on unequal-length strings produces incorrect inclusion/exclusion results for IP ranges.

Remote attackers without authentication can exploit this issue by supplying crafted IPv6 addresses to applications using Net::CIDR::Lite for IP access control lists (ACLs) or range checks. For instance, an input like "1:2:3" may be falsely reported as matching a broad range such as "::/8", enabling unauthorized access. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) reflects high integrity impact through ACL bypass, with no confidentiality or availability disruption. This mirrors a prior issue, CVE-2021-47154, involving IPv4 leading zeros, and relates to CVE-2026-40199 affecting IPv4-mapped IPv6 addresses in the same function.

Mitigation requires upgrading to Net::CIDR::Lite version 0.23, which addresses the flaw via validation enhancements in _pack_ipv6(), as detailed in the module's changes on MetaCPAN and a corresponding GitHub commit (25d65f85dbe4885959a10471725ec9d250a589c3). Practitioners should audit dependencies using this module in network filtering or firewall scripts and apply the patch promptly, associating the issue with CWE-1286 (Improper Validation of Array Index).

Details

CWE(s): CWE-1286

Affected Products

stigtsp

net\

CVEs Like This One

CVE-2025-59785Shared CWE-1286

CVE-2025-41719Shared CWE-1286

CVE-2025-0638Shared CWE-1286

CVE-2026-21917Shared CWE-1286

CVE-2026-33778Shared CWE-1286

CVE-2026-25513Shared CWE-1286

CVE-2025-22868Shared CWE-1286

CVE-2026-6442Shared CWE-1286

References

https://github.com/stigtsp/Net-CIDR-Lite/commit/25d65f85dbe4885959a10471725ec9d250a589c3.patch
Patch · 9b29abf9-4ab0-4765-b253-1875cd9b441e
https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.23/changes
Release Notes · 9b29abf9-4ab0-4765-b253-1875cd9b441e
https://www.cve.org/CVERecord?id=CVE-2026-40199
Third Party Advisory · 9b29abf9-4ab0-4765-b253-1875cd9b441e