{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2641", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-17T20:23:22.618Z", "datePublished": "2026-02-18T05:32:07.920Z", "dateUpdated": "2026-02-23T10:16:38.144Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:16:38.144Z"}, "title": "universal-ctags V Language v.c parseExprList recursion", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-674", "lang": "en", "description": "Uncontrolled Recursion"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "Denial of Service"}]}], "affected": [{"vendor": "universal-ctags", "product": "ctags", "versions": [{"version": "6.2.0", "status": "affected"}, {"version": "6.2.1", "status": "affected"}], "modules": ["V Language Parser"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-17T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-17T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-18T19:49:33.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Oneafter (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346397", "name": "VDB-346397 | universal-ctags V Language v.c parseExprList recursion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346397", "name": "VDB-346397 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.752768", "name": "Submit #752768 | universal-ctags ctags master-branch Uncontrolled Recursion", "tags": ["third-party-advisory"]}, {"url": "https://github.com/universal-ctags/ctags/issues/4369", "tags": ["issue-tracking"]}, {"url": "https://github.com/oneafter/0116/blob/main/poc.v", "tags": ["exploit"]}, {"url": "https://github.com/universal-ctags/ctags/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T20:30:54.140374Z", "id": "CVE-2026-2641", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:31:02.435Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2641", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T20:30:54.140374Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:30:58.334Z"}}], "cna": {"title": "universal-ctags V Language v.c parseExprList recursion", "credits": [{"lang": "en", "type": "reporter", "value": "Oneafter (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "universal-ctags", "modules": ["V Language Parser"], "product": "ctags", "versions": [{"status": "affected", "version": "6.2.0"}, {"status": "affected", "version": "6.2.1"}]}], "timeline": [{"lang": "en", "time": "2026-02-17T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-17T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-18T19:49:33.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346397", "name": "VDB-346397 | universal-ctags V Language v.c parseExprList recursion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346397", "name": "VDB-346397 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.752768", "name": "Submit #752768 | universal-ctags ctags master-branch Uncontrolled Recursion", "tags": ["third-party-advisory"]}, {"url": "https://github.com/universal-ctags/ctags/issues/4369", "tags": ["issue-tracking"]}, {"url": "https://github.com/oneafter/0116/blob/main/poc.v", "tags": ["exploit"]}, {"url": "https://github.com/universal-ctags/ctags/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "Uncontrolled Recursion"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "Denial of Service"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:16:38.144Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2641", "state": "PUBLISHED", "dateUpdated": "2026-02-23T10:16:38.144Z", "dateReserved": "2026-02-17T20:23:22.618Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-18T05:32:07.920Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Se ha identificado una debilidad en universal-ctags ctags hasta la versi\u00f3n 6.2.1. El elemento afectado es la funci\u00f3n parseExpression/parseExprList del archivo parsers/v.c del componente V Language Parser. La ejecuci\u00f3n de una manipulaci\u00f3n puede llevar a una recursi\u00f3n incontrolada. Es posible lanzar el ataque en el host local. El exploit ha sido puesto a disposici\u00f3n del p\u00fablico y podr\u00eda ser utilizado para ataques. Se inform\u00f3 al proyecto del problema con antelaci\u00f3n a trav\u00e9s de un informe de incidencia, pero a\u00fan no ha respondido."}], "id": "CVE-2026-2641", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-18T06:16:35.517", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/oneafter/0116/blob/main/poc.v"}, {"source": "cna@vuldb.com", "url": "https://github.com/universal-ctags/ctags/"}, {"source": "cna@vuldb.com", "url": "https://github.com/universal-ctags/ctags/issues/4369"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.346397"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.346397"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.752768"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-674"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{"bugzilla": {"description": "ctags: ctags: Denial of Service due to uncontrolled recursion", "id": "2440536", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440536"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-835", "details": ["A flaw was found in ctags. A local attacker with low privileges can exploit a weakness in the V Language Parser component by executing a specially crafted input that triggers uncontrolled recursion within the `parseExpression/parseExprList` functions. This vulnerability can lead to a Denial of Service (DoS), making the application unresponsive or unavailable."], "name": "CVE-2026-2641", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "ctags", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "ctags", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ctags", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2026-02-18T05:32:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2641\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2641\nhttps://github.com/oneafter/0116/blob/main/poc.v\nhttps://github.com/universal-ctags/ctags/\nhttps://github.com/universal-ctags/ctags/issues/4369\nhttps://vuldb.com/?ctiid.346397\nhttps://vuldb.com/?id.346397\nhttps://vuldb.com/?submit.752768"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.2.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ctags", "source": "cna", "vendor": "universal-ctags"}, "product": "ctags", "vendor": "universal-ctags"}], "analysis": {"en": {"generated_at": "2026-04-17T18:47:51.596863+00:00", "value": {"mitigation_remediation": ["Upgrade universal\u2011ctags to a version newer than 6.2.1 once a fix is released.", "If the V Language parser is not required, disable or remove that parsing feature to eliminate the recursion path.", "Keep an eye on the upstream issue tracker and apply any patches or security advisories as soon as they become available."], "summary": {"action": "Patch", "impact": "Denial of Service via uncontrolled recursion"}, "threat_synthesis": {"affected_systems": "The affected product is universal\u2011ctags, specifically the ctags component. Versions up to and including 6.2.1 are vulnerable. Any installation that utilizes the V Language parser implementation in parsers/v.c may be impacted.", "description_and_impact": "The vulnerability resides in the parseExpression and parseExprList functions of the V Language parser within universal\u2011ctags. A crafted input can cause the parser to recur without bounds, ultimately exhausting the call stack or available memory, and thus incapacitating the process. This uncontrolled recursion is classified under CWE\u2011835 and involves improper resource handling (CWE\u2011674).", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate severity. The EPSS score is below 1%, which suggests a low probability of exploitation on the public internet. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation at this time. Based on the description, it is inferred that the attack requires local or privileged execution on the host running ctags, as the manipulated input must be parsed by the V Language parser. The attacker could use the public exploit code to trigger the recursive parse, causing the process to crash or hang, resulting in a denial of service."}}}}, "created": "2026-02-18T10:32:43.034021+00:00", "updated": "2026-04-17T19:00:11.016132+00:00", "vendors": ["universal-ctags", "universal-ctags$PRODUCT$ctags"]}