CVE-2026-56015

TPODER · Net::IP::LPM

The Perl module Net::IP::LPM allows a heap out-of-bounds read due to improper validation of prefix lengths in the add() function.

Executive summary

A heap out-of-bounds read vulnerability in the Net::IP::LPM Perl module could potentially lead to information disclosure or application instability.

Vulnerability

This is a heap out-of-bounds read vulnerability (CWE-125). The add() function fails to validate the prefix length against the address width before passing it to the trie builder, causing the buffer to be read beyond its allocated memory when processing malicious inputs.

Business impact

With a CVSS score of 9.1, this vulnerability poses a severe risk to applications relying on this module for network prefix matching. Successful exploitation could lead to sensitive memory disclosure or denial-of-service conditions, potentially crashing the host application or exposing data stored in adjacent memory.

Remediation

Immediate Action: Check the CPAN security portal for the latest patch or updated version of Net::IP::LPM and apply it to all affected environments.

Proactive Monitoring: Monitor application logs for unexpected crashes or error messages related to memory access or malformed network input processing.

Compensating Controls: If an update is unavailable, implement input validation at the application level to ensure that provided prefix lengths are within expected bounds before calling the module functions.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Users of the Net::IP::LPM Perl module should prioritize identifying where this library is utilized in their infrastructure. Given the critical nature of heap-based memory vulnerabilities, applying available patches or implementing strict input validation is essential to mitigate the risk of memory corruption.