CVE-2026-2641
Received Received - Intake
Uncontrolled Recursion in universal-ctags V Language Parser

Publication date: 2026-02-18

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2641
EUVD
EUVD-2026-7652
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
universal-ctags ctags to 6.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2641 is a vulnerability in universal-ctags versions up to 6.2.1, specifically in the V Language Parser component within the file parsers/v.c. It involves uncontrolled recursion between two functions, parseExpression and parseExprList, which call each other without any limit on recursion depth.

This uncontrolled recursion can be triggered by specially crafted V source files containing deeply nested expressions, such as nested parentheses or arrays. The recursion causes excessive resource consumption, leading to stack overflow and a crash of the software.

Exploitation requires local access and the vulnerability has a low to moderate severity score, primarily affecting the availability of the software. A proof-of-concept exploit is publicly available.

Impact Analysis

This vulnerability can impact you by causing the universal-ctags software to crash due to stack overflow triggered by uncontrolled recursion. This results in denial of service, making the software unavailable for use.

Since the exploit requires local access, an attacker with access to the host can trigger the crash by providing a specially crafted V source file, potentially disrupting development workflows or automated processes relying on universal-ctags.

No remote exploitation is possible, and the impact is limited to availability without compromising confidentiality or integrity.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by running Universal Ctags on a specially crafted V source file that contains deeply nested expressions, which triggers uncontrolled recursion leading to a stack overflow and crash.

To reproduce and detect the issue, build ctags with Release optimization and AddressSanitizer (ASan) enabled, then run it on a crafted V source file (such as the publicly available proof-of-concept file poc.v).

A suggested command to detect the vulnerability is:

  • ./ctags -f /dev/null --sort=no poc.v

If the program crashes with a stack overflow detected by ASan, this confirms the presence of the vulnerability.

Mitigation Strategies

Currently, no countermeasures or mitigations are known or provided by the Universal Ctags project for this vulnerability.

Since the vulnerability requires local access and can be exploited by processing crafted V source files, immediate mitigation steps include limiting access to the vulnerable ctags binary and avoiding processing untrusted or malicious V source files.

It is also suggested to consider replacing the affected software with an alternative tool until a fix or patch is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2641. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart