App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc.
ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack sized the before-context buffer to that value, so a project .ackrc setting --before-context=100000000 made ack allocate a buffer of 100 million elements.
A project .ackrc committed to an untrusted repository can abort ack with an out-of-memory condition.
ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack sized the before-context buffer to that value, so a project .ackrc setting --before-context=100000000 made ack allocate a buffer of 100 million elements.
A project .ackrc committed to an untrusted repository can abort ack with an out-of-memory condition.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
Upgrade to ack 3.10.0 or later.
Workaround
No workaround given by the vendor.
References
History
Wed, 08 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Wed, 08 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack sized the before-context buffer to that value, so a project .ackrc setting --before-context=100000000 made ack allocate a buffer of 100 million elements. A project .ackrc committed to an untrusted repository can abort ack with an out-of-memory condition. | |
| Title | App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc | |
| Weaknesses | CWE-770 | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-07-08T15:22:10.486Z
Reserved: 2026-05-27T17:50:04.538Z
Link: CVE-2026-49146
Updated: 2026-07-08T15:21:56.928Z
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses