CVE-2026-40199

packipv6() includes the sentinel byte from packipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address.

The wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses.

Example:

my $cidr = Net::CIDR::Lite->new("::ffff:192.168.1.0/120"); $cidr->find("::ffff:192.168.2.0"); # incorrectly returns true

This is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x).

See also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses.

Database specific

{
    "cwe_ids": [
        "CWE-130"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40199.json",
    "cna_assigner": "CPANSec"
}

References

Affected packages

Git / github.com/stigtsp/net-cidr-lite

Affected ranges

Type

GIT

Repo

https://github.com/stigtsp/net-cidr-lite

Events

Introduced

Fixed

9a0759afb56ec1a442d7cbb657ac07f6f3c29b17

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.23"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*

0.21

0.22

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-40199.json"