diff --git a/internal/lang/funcs/cidr.go b/internal/lang/funcs/cidr.go
index c6f42c4d70bc..bf878b50cb7a 100644
--- a/internal/lang/funcs/cidr.go
+++ b/internal/lang/funcs/cidr.go
@@ -60,6 +60,10 @@ var CidrNetmaskFunc = function.New(&function.Spec{
 			return cty.UnknownVal(cty.String), fmt.Errorf("invalid CIDR expression: %s", err)
 		}
 
+		if network.IP.To4() == nil {
+			return cty.UnknownVal(cty.String), fmt.Errorf("IPv6 addresses cannot have a netmask: %s", args[0].AsString())
+		}
+
 		return cty.StringVal(ipaddr.IP(network.Mask).String()), nil
 	},
 })
diff --git a/internal/lang/funcs/cidr_test.go b/internal/lang/funcs/cidr_test.go
index cb8d810a9392..5d8a96058983 100644
--- a/internal/lang/funcs/cidr_test.go
+++ b/internal/lang/funcs/cidr_test.go
@@ -118,11 +118,6 @@ func TestCidrNetmask(t *testing.T) {
 			cty.StringVal("0.0.0.0"),
 			false,
 		},
-		{
-			cty.StringVal("1::/64"),
-			cty.StringVal("ffff:ffff:ffff:ffff::"),
-			false,
-		},
 		{
 			// We inadvertently inherited a pre-Go1.17 standard library quirk
 			// if parsing zero-prefix parts as decimal rather than octal.
@@ -144,6 +139,11 @@ func TestCidrNetmask(t *testing.T) {
 			cty.UnknownVal(cty.String),
 			true, // can't have an octet >255
 		},
+		{
+			cty.StringVal("1::/64"),
+			cty.UnknownVal(cty.String),
+			true, // IPv6 is invalid
+		},
 	}
 
 	for _, test := range tests {