VIR Vulnerability Intelligence Relay

CVE-2021-4456

unknown
Published — · Modified —
CVSS v3
CVSS v2
VIR risk

Description

Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses. The documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. However, this mitigation is optional and not enforced by default. In practice, users may call `addr2cidr` or `cidrlookup` with untrusted input and without validation, incorrectly assuming that this is safe.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-4456

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-4456.html

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyfixed0.25-1
debian debiansidfixed0.25-1
debian debiantrixiefixed0.25-1

References

Verify integrity in audit chain (admin only). AS-IS.