{"api_version":"1","generated_at":"2026-07-03T18:06:41+00:00","cve":"CVE-2026-56015","urls":{"html":"https://cve.report/CVE-2026-56015","api":"https://cve.report/api/cve/CVE-2026-56015.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-56015","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-56015"},"summary":{"title":"Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length","description":"Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length.\n\nadd() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width.\n\naddPrefixToTrie() then walks the prefix buffer by prefix_length bits, reading prefix[byte] for byte up to prefix_len/8, where prefix is the 4-byte (IPv4) or 16-byte (IPv6) packed address. A prefix length greater than 32 for IPv4 or 128 for IPv6, for example add(\"1.2.3.4/255\", $v) or add(\"2001:db8::/255\", $v), reads past the end of the packed address.\n\nThe out-of-bounds read happens during trie construction and is bounded: the prefix length is stored as an unsigned char, so the bit walk reads at most 32 bytes from the start of the packed address, a short distance past the end of the 4-byte or 16-byte buffer. It is detectable under AddressSanitizer, valgrind, or a hardened allocator, where it can abort the process. Lookups and dump() format only the valid address width, so the out-of-bounds bytes are not exposed through the module's API.","state":"PUBLISHED","assigner":"CPANSec","published_at":"2026-07-03 13:17:30","updated_at":"2026-07-03 17:16:54"},"problem_types":["CWE-125","CWE-125 CWE-125 Out-of-bounds Read"],"metrics":[],"references":[{"url":"https://rt.cpan.org/Ticket/Display.html?id=179856","name":"https://rt.cpan.org/Ticket/Display.html?id=179856","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.metacpan.org/patches/N/Net-IP-LPM/1.10/CVE-2026-56015-r2.patch","name":"https://security.metacpan.org/patches/N/Net-IP-LPM/1.10/CVE-2026-56015-r2.patch","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.openwall.com/lists/oss-security/2026/07/03/4","name":"http://www.openwall.com/lists/oss-security/2026/07/03/4","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-56015","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56015","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"TPODER","product":"Net::IP::LPM","version":"affected 1.10 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Apply the patch.\n\nOtherwise, reject prefix lengths greater than 32 (IPv4) or 128 (IPv6) before passing them to add().","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-07-03T16:31:29.386Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/07/03/4"}],"title":"CVE Program Container"}],"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Net-IP-LPM","product":"Net::IP::LPM","programFiles":["lib/Net/IP/LPM.pm","lpm_lib.c"],"programRoutines":[{"name":"Net::IP::LPM::add"},{"name":"addPrefixToTrie"},{"name":"lpm_add_raw"}],"vendor":"TPODER","versions":[{"lessThanOrEqual":"1.10","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length.\n\nadd() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width.\n\naddPrefixToTrie() then walks the prefix buffer by prefix_length bits, reading prefix[byte] for byte up to prefix_len/8, where prefix is the 4-byte (IPv4) or 16-byte (IPv6) packed address. A prefix length greater than 32 for IPv4 or 128 for IPv6, for example add(\"1.2.3.4/255\", $v) or add(\"2001:db8::/255\", $v), reads past the end of the packed address.\n\nThe out-of-bounds read happens during trie construction and is bounded: the prefix length is stored as an unsigned char, so the bit walk reads at most 32 bytes from the start of the packed address, a short distance past the end of the 4-byte or 16-byte buffer. It is detectable under AddressSanitizer, valgrind, or a hardened allocator, where it can abort the process. Lookups and dump() format only the valid address width, so the out-of-bounds bytes are not exposed through the module's API."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-125","description":"CWE-125 Out-of-bounds Read","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-03T12:56:04.288Z","orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec"},"references":[{"tags":["issue-tracking","vendor-advisory"],"url":"https://rt.cpan.org/Ticket/Display.html?id=179856"},{"tags":["patch"],"url":"https://security.metacpan.org/patches/N/Net-IP-LPM/1.10/CVE-2026-56015-r2.patch"}],"source":{"discovery":"UNKNOWN"},"title":"Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length","workarounds":[{"lang":"en","value":"Apply the patch.\n\nOtherwise, reject prefix lengths greater than 32 (IPv4) or 128 (IPv6) before passing them to add()."}],"x_generator":{"engine":"cpansec-cna-tool 0.1"}}},"cveMetadata":{"assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","assignerShortName":"CPANSec","cveId":"CVE-2026-56015","datePublished":"2026-07-03T12:56:04.288Z","dateReserved":"2026-06-18T11:27:09.117Z","dateUpdated":"2026-07-03T16:31:29.386Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-03 13:17:30","lastModifiedDate":"2026-07-03 17:16:54","problem_types":["CWE-125","CWE-125 CWE-125 Out-of-bounds Read"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"56015","Ordinal":"1","Title":"Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-","CVE":"CVE-2026-56015","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"56015","Ordinal":"1","NoteData":"Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length.\n\nadd() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width.\n\naddPrefixToTrie() then walks the prefix buffer by prefix_length bits, reading prefix[byte] for byte up to prefix_len/8, where prefix is the 4-byte (IPv4) or 16-byte (IPv6) packed address. A prefix length greater than 32 for IPv4 or 128 for IPv6, for example add(\"1.2.3.4/255\", $v) or add(\"2001:db8::/255\", $v), reads past the end of the packed address.\n\nThe out-of-bounds read happens during trie construction and is bounded: the prefix length is stored as an unsigned char, so the bit walk reads at most 32 bytes from the start of the packed address, a short distance past the end of the 4-byte or 16-byte buffer. It is detectable under AddressSanitizer, valgrind, or a hardened allocator, where it can abort the process. Lookups and dump() format only the valid address width, so the out-of-bounds bytes are not exposed through the module's API.","Type":"Description","Title":"Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-"}]}}}