From 25d65f85dbe4885959a10471725ec9d250a589c3 Mon Sep 17 00:00:00 2001
From: Stig Palmquist <git@stig.io>
Date: Fri, 10 Apr 2026 00:31:51 +0200
Subject: [PATCH] CVE-2026-40198: Reject invalid uncompressed IPv6

_pack_ipv6() accepted uncompressed IPv6 addresses with fewer than 8
groups. This resulted in incorrect packed values affecting mask and
comparison operations. Possibly allowing IP ACL bypass via find().
---
 Lite.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Lite.pm b/Lite.pm
index 0e2299f..acf8f0d 100644
--- a/Lite.pm
+++ b/Lite.pm
@@ -206,6 +206,7 @@ sub _pack_ipv6 {
         return;
     }
     return if $ipv4 and @nums > 6;
+    return unless $empty or @nums == ($ipv4 ? 6 : 8);
     $str =~ s/X/"0" x (($ipv4 ? 25 : 33)-length($str))/e if $empty;
     pack("H*", "00" . $str).$ipv4;
 }