{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2641", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-17T20:23:22.618Z", "datePublished": "2026-02-18T05:32:07.920Z", "dateUpdated": "2026-02-18T20:31:02.435Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-18T05:32:07.920Z"}, "title": "universal-ctags V Language v.c parseExprList recursion", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-674", "lang": "en", "description": "Uncontrolled Recursion"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "Denial of Service"}]}], "affected": [{"vendor": "universal-ctags", "product": "ctags", "versions": [{"version": "6.2.0", "status": "affected"}, {"version": "6.2.1", "status": "affected"}], "modules": ["V Language Parser"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-17T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-17T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-17T21:28:28.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Oneafter (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346397", "name": "VDB-346397 | universal-ctags V Language v.c parseExprList recursion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346397", "name": "VDB-346397 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.752768", "name": "Submit #752768 | universal-ctags ctags master-branch Uncontrolled Recursion", "tags": ["third-party-advisory"]}, {"url": "https://github.com/universal-ctags/ctags/issues/4369", "tags": ["issue-tracking"]}, {"url": "https://github.com/oneafter/0116/blob/main/poc.v", "tags": ["exploit"]}, {"url": "https://github.com/universal-ctags/ctags/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T20:30:54.140374Z", "id": "CVE-2026-2641", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:31:02.435Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2641", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T20:30:54.140374Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:30:58.334Z"}}], "cna": {"title": "universal-ctags V Language v.c parseExprList recursion", "credits": [{"lang": "en", "type": "reporter", "value": "Oneafter (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "universal-ctags", "modules": ["V Language Parser"], "product": "ctags", "versions": [{"status": "affected", "version": "6.2.0"}, {"status": "affected", "version": "6.2.1"}]}], "timeline": [{"lang": "en", "time": "2026-02-17T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-17T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-17T21:28:28.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346397", "name": "VDB-346397 | universal-ctags V Language v.c parseExprList recursion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346397", "name": "VDB-346397 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.752768", "name": "Submit #752768 | universal-ctags ctags master-branch Uncontrolled Recursion", "tags": ["third-party-advisory"]}, {"url": "https://github.com/universal-ctags/ctags/issues/4369", "tags": ["issue-tracking"]}, {"url": "https://github.com/oneafter/0116/blob/main/poc.v", "tags": ["exploit"]}, {"url": "https://github.com/universal-ctags/ctags/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "Uncontrolled Recursion"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "Denial of Service"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-18T05:32:07.920Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2641", "state": "PUBLISHED", "dateUpdated": "2026-02-18T20:31:02.435Z", "dateReserved": "2026-02-17T20:23:22.618Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-18T05:32:07.920Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-2641", "lastModified": "2026-02-18T17:51:53.510", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-18T06:16:35.517", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/oneafter/0116/blob/main/poc.v"}, {"source": "cna@vuldb.com", "url": "https://github.com/universal-ctags/ctags/"}, {"source": "cna@vuldb.com", "url": "https://github.com/universal-ctags/ctags/issues/4369"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.346397"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.346397"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.752768"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-674"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{"bugzilla": {"description": "ctags: ctags: Denial of Service due to uncontrolled recursion", "id": "2440536", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440536"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-835", "details": ["A flaw was found in ctags. A local attacker with low privileges can exploit a weakness in the V Language Parser component by executing a specially crafted input that triggers uncontrolled recursion within the `parseExpression/parseExprList` functions. This vulnerability can lead to a Denial of Service (DoS), making the application unresponsive or unavailable."], "name": "CVE-2026-2641", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "ctags", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "ctags", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ctags", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2026-02-18T05:32:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2641\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2641\nhttps://github.com/oneafter/0116/blob/main/poc.v\nhttps://github.com/universal-ctags/ctags/\nhttps://github.com/universal-ctags/ctags/issues/4369\nhttps://vuldb.com/?ctiid.346397\nhttps://vuldb.com/?id.346397\nhttps://vuldb.com/?submit.752768"], "threat_severity": "Low"}

{"created": "2026-02-18T10:32:43.034021+00:00", "updated": "2026-02-18T10:32:43.034098+00:00", "vendors": ["universal-ctags", "universal-ctags$PRODUCT$ctags"]}