Amazon Linux 2023 Security Advisory: ALAS2023-2026-1732
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26
Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass.
Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result.
Example:
my $cidr = Net::CIDR::Lite->new();
$cidr->add("::1\n/128");
$cidr->find("::1a"); # incorrectly returns true
See also CVE-2026-45191. (CVE-2026-45190)
Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass.
Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value.
See also CVE-2026-45190. (CVE-2026-45191)
Affected Packages:
perl-Net-CIDR-Lite
Issue Correction:
Run dnf update perl-Net-CIDR-Lite --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1732 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
noarch:
perl-Net-CIDR-Lite-0.22-8.amzn2023.0.2.noarch
src:
perl-Net-CIDR-Lite-0.22-8.amzn2023.0.2.src