CVE-2026-2641
Uncontrolled Recursion in universal-ctags V Language Parser
Publication date: 2026-02-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| universal-ctags | ctags | to 6.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2641 is a vulnerability in universal-ctags versions up to 6.2.1, specifically in the V Language Parser component within the file parsers/v.c. It involves uncontrolled recursion between two functions, parseExpression and parseExprList, which call each other without any limit on recursion depth.
This uncontrolled recursion can be triggered by specially crafted V source files containing deeply nested expressions, such as nested parentheses or arrays. The recursion causes excessive resource consumption, leading to stack overflow and a crash of the software.
Exploitation requires local access and the vulnerability has a low to moderate severity score, primarily affecting the availability of the software. A proof-of-concept exploit is publicly available.
How can this vulnerability impact me? :
This vulnerability can impact you by causing the universal-ctags software to crash due to stack overflow triggered by uncontrolled recursion. This results in denial of service, making the software unavailable for use.
Since the exploit requires local access, an attacker with access to the host can trigger the crash by providing a specially crafted V source file, potentially disrupting development workflows or automated processes relying on universal-ctags.
No remote exploitation is possible, and the impact is limited to availability without compromising confidentiality or integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running Universal Ctags on a specially crafted V source file that contains deeply nested expressions, which triggers uncontrolled recursion leading to a stack overflow and crash.
To reproduce and detect the issue, build ctags with Release optimization and AddressSanitizer (ASan) enabled, then run it on a crafted V source file (such as the publicly available proof-of-concept file poc.v).
A suggested command to detect the vulnerability is:
- ./ctags -f /dev/null --sort=no poc.v
If the program crashes with a stack overflow detected by ASan, this confirms the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Currently, no countermeasures or mitigations are known or provided by the Universal Ctags project for this vulnerability.
Since the vulnerability requires local access and can be exploited by processing crafted V source files, immediate mitigation steps include limiting access to the vulnerable ctags binary and avoiding processing untrusted or malicious V source files.
It is also suggested to consider replacing the affected software with an alternative tool until a fix or patch is released.