PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49941 RRWO CVE debrief

CVE-2026-49941 is a HIGH severity vulnerability in Net::CIDR::Set for Perl. Versions through 0.20 did not validate IP addresses, leading to potential denial of service (DoS) attacks. The `add` method called the `_encode` method to parse addresses. If the addresses did not look like netmasks or network ranges, they were assumed to be single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, this would lead to indefinite recursion. An attacker could use this to cause a denial of service.

Vendor
RRWO
Product
Net::CIDR::Set
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-08
Advisory published
2026-06-04
Advisory updated
2026-06-08

Who should care

Users of Net::CIDR::Set for Perl, especially those using versions through 0.20, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in the Net::CIDR::Set module for Perl, specifically in versions through 0.20. The `add` method does not properly validate IP addresses, which can lead to indefinite recursion and a denial of service (DoS) attack.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to version 0.21 or later of Net::CIDR::Set for Perl.
  • Review and validate IP addresses before passing them to the `add` method.

Evidence notes

The CVE-2026-49941 vulnerability was reported by Rrwo and has a CVSS score of 7.5. The vulnerability was published on 2026-06-04T17:16:33.173Z and modified on 2026-06-08T16:37:29.237Z.

Official resources

CVE-2026-49941 was published on 2026-06-04T17:16:33.173Z and modified on 2026-06-08T16:37:29.237Z.