Marking as security for now since it contains an IP range.
I was able to block the range 2600:7400:0:0:0:0:0:0/28 (or as I had entered it in the block form, 2600:7400::/28), but when I tried to run a check on that same range, I got the "invalid IP" error (I tried both forms and got the same result). It is a valid /28 range of IPv6 addresses, so I presume there is something wrong with the CheckUser code. I will investigate and propose a patch myself soon.
Turns out the reason for this is that $wgBlockCIDRLimit by default allows blocking IPv6 in up to /19, but $wgCheckUserCIDRLimit will not allow checking ranges wider than /32. Not knowing what the reason behind this is, I will leave it as is for now.
However, as I was investigating this I noted the CheckUser uses a regex-based method to identify IPs and ranges, which is bad because we already have methods to do this in MediaWiki core. So I will submit a patch to fix that.
So apparently Gerritbot cannot send notifications here due to the Custom Policy (which by the way can be removed). So I am adding a link to the patch manually: https://gerrit.wikimedia.org/r/#/c/368327/
Change 368327 merged by jenkins-bot:
[mediawiki/extensions/CheckUser@master] Use methods from the IP class to validate IPs and CIDR ranges
Re-opening it as the problem persists despite the patch. A range like 2A01:4F8:0:0:0:0:0:0/29 works when you block it, but gives an "Invalid IP address" error when you try to check it with CU. I think the :4F8: part is what is throwing it off (it is only three characters long, not 4).
I think it don't pass the part ( IP::isIPv6( $ip ) && $range < $wgCheckUserCIDRLimit['IPv6'] ) ) since 29 < 32 (range is too wide). Is the bug in the block stuffs instead?
Actually, it is not a bug; the IPv6 default for maximum range size is different for blocks and CheckUser. I don't know why (and I wish they were not the same) but there is no issue with the code.
CheckUser's config: $wgCheckUserCIDRLimit['IPv6'] = 32
Block config: $wgBlockCIDRLimit['IPv6'] = 19