Multiple Vulnerabilities in Net::CIDR::Lite Affect Ubuntu Releases
Severity: Medium (Score: 57.8)
Sources: Linuxsecurity, Ubuntu
Published: · Updated:
Keywords: ubuntu, cidr, lite, issue, net--cidr--lite, major, access
Severity indicators: issue
Summary
Multiple vulnerabilities were discovered in the Net::CIDR::Lite module, affecting various Ubuntu versions, including 16.04 LTS and 18.04 LTS. The vulnerabilities allow remote attackers to bypass access controls based on IP addresses. Specifically, CVE-2021-47154 involves mishandling of extraneous zero characters in IP address strings, while CVE-2026-40198 and CVE-2026-40199 pertain to improper validation of IPv6 addresses and mishandling of IPv4 mapped IPv6 addresses, respectively. The issues were reported by Dave Rolsky and are critical for systems relying on IP-based access controls. Users are advised to update their systems to mitigate these vulnerabilities. The vulnerabilities were published on April 10, 2026, and March 18, 2024, respectively. The affected systems include Ubuntu 16.04 LTS, 18.04 LTS, and other versions. Key Points: • Net::CIDR::Lite vulnerabilities allow IP access control bypass. • Affected Ubuntu versions include 16.04 LTS and 18.04 LTS. • Users should update to the latest package versions to mitigate risks.
Detailed Analysis
**Impact** Ubuntu users across multiple releases are affected, including 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS. The vulnerabilities allow remote attackers to bypass IP-based access controls, potentially impacting any business or operational environment relying on these Ubuntu versions for network security. No specific sectors or geographies are detailed, but the broad Ubuntu user base implies widespread exposure. **Technical Details** The vulnerabilities involve improper handling of IP address strings in the Net::CIDR::Lite Perl module, specifically extraneous zero characters in IPv4 addresses (CVE-2021-47154), invalid IPv6 group counts in uncompressed IPv6 addresses (CVE-2026-40198), and mishandling of IPv4 mapped IPv6 addresses (CVE-2026-40199). These issues enable remote attackers to bypass access controls based on IP filtering. No malware, tools, or specific infrastructure details are provided. The attack vector is remote exploitation of IP address parsing flaws during access control checks. **Recommended Response** Apply the updated libnet-cidr-lite-perl package versions provided for each affected Ubuntu release, available via standard system updates or Ubuntu Pro for extended support releases. Prioritize patching Ubuntu 16.04 LTS and 18.04 LTS due to confirmed impact. Monitor network access logs for anomalous IP address patterns that may indicate exploitation attempts. No additional IOCs or detection signatures are provided in the sources.
Source articles (2)
- USN-8406-1: Net::CIDR::Lite vulnerabilities — Ubuntu · 2026-06-08
Dave Rolsky discovered that Net::CIDR::Lite did not properly handle extraneous zero characters at the beginning of an IP address string. A remote attacker could possibly use this issue to bypass acces… - Ubuntu 26.04 Net--CIDR--Lite Major Access Management Upgrade USN-8406 — Linuxsecurity · 2026-06-08
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS…
Timeline
- 2024-03-18 — CVE-2021-47154 published: Vulnerability discovered in Net::CIDR::Lite related to extraneous zero characters in IP addresses.
- 2026-04-10 — CVE-2026-40198 and CVE-2026-40199 published: Two vulnerabilities reported in Net::CIDR::Lite affecting IPv6 address handling.
- 2026-06-08 — Security notice issued for Net::CIDR::Lite: Ubuntu released a security notice addressing multiple vulnerabilities in Net::CIDR::Lite.
CVEs
Related entities
- CWE-287 - Improper Authentication (Cwe)
- Linux (Platform)
- Ubuntu (Company)