CVE-2026-56015
TPODER · Net::IP::LPM
The Perl module Net::IP::LPM allows a heap out-of-bounds read due to improper validation of prefix lengths in the add() function.
Executive summary
A heap out-of-bounds read vulnerability in the Net::IP::LPM Perl module could potentially lead to information disclosure or application instability.
Vulnerability
This is a heap out-of-bounds read vulnerability (CWE-125). The add() function fails to validate the prefix length against the address width before passing it to the trie builder, causing the buffer to be read beyond its allocated memory when processing malicious inputs.
Business impact
With a CVSS score of 9.1, this vulnerability poses a severe risk to applications relying on this module for network prefix matching. Successful exploitation could lead to sensitive memory disclosure or denial-of-service conditions, potentially crashing the host application or exposing data stored in adjacent memory.
Remediation
Immediate Action: Check the CPAN security portal for the latest patch or updated version of Net::IP::LPM and apply it to all affected environments.
Proactive Monitoring: Monitor application logs for unexpected crashes or error messages related to memory access or malformed network input processing.
Compensating Controls: If an update is unavailable, implement input validation at the application level to ensure that provided prefix lengths are within expected bounds before calling the module functions.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Users of the Net::IP::LPM Perl module should prioritize identifying where this library is utilized in their infrastructure. Given the critical nature of heap-based memory vulnerabilities, applying available patches or implementing strict input validation is essential to mitigate the risk of memory corruption.