CVE-2026-49146
Deferred Deferred - Pending Action

Memory Exhaustion in App::Ack Perl Module

Vulnerability report for CVE-2026-49146, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: CPANSec

Description

App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack sized the before-context buffer to that value, so a project .ackrc setting --before-context=100000000 made ack allocate a buffer of 100 million elements. A project .ackrc committed to an untrusted repository can abort ack with an out-of-memory condition.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
beyondgrep ack to 3.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in App::Ack versions before 3.10.0 for Perl, where the tool allows memory exhaustion due to unbounded context values specified in a project .ackrc configuration file.

Ack searches up the directory hierarchy for a project .ackrc file and loads its options. The -B and -C context options accept any positive integer, and ack allocates a buffer sized to that value. For example, setting --before-context=100000000 in a project .ackrc causes ack to allocate a buffer with 100 million elements.

If a project .ackrc file is committed to an untrusted repository with such large values, it can cause ack to abort due to an out-of-memory condition, effectively causing a denial of service.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact you by causing the ack tool to consume excessive memory and potentially crash or abort unexpectedly.

If you use ack in environments where project .ackrc files come from untrusted sources, an attacker could craft a malicious .ackrc file with very large context values to trigger memory exhaustion, leading to denial of service.

Detection Guidance

This vulnerability can be detected by checking for the presence of project .ackrc files that contain unusually large values for the context options -A, -B, or -C, especially values exceeding 10,000.

You can search for such .ackrc files with large context values using commands like:

  • grep -rE '--(before|after|context)-context=[0-9]{5,}' /path/to/projects
  • find /path/to/projects -name '.ackrc' -exec grep -H -E '^-([ABC]) [0-9]{5,}' {} \;

Additionally, monitoring ack process memory usage for unusually high consumption when running in project directories can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include:

  • Audit and remove or restrict project .ackrc files from untrusted sources, especially those containing large values for -A, -B, or -C options.
  • Upgrade ack to version 3.10.0 or later, which includes validation to cap context values at 10,000 and blocks dangerous options in project .ackrc files.
  • Avoid committing project .ackrc files with large context values to shared or public repositories.
  • Consider implementing runtime monitoring to detect and prevent excessive memory usage by ack processes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart