App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc.

ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack sized the before-context buffer to that value, so a project .ackrc setting --before-context=100000000 made ack allocate a buffer of 100 million elements.

A project .ackrc committed to an untrusted repository can abort ack with an out-of-memory condition.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

Upgrade to ack 3.10.0 or later.


Workaround

No workaround given by the vendor.

History

Wed, 08 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
Description App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack sized the before-context buffer to that value, so a project .ackrc setting --before-context=100000000 made ack allocate a buffer of 100 million elements. A project .ackrc committed to an untrusted repository can abort ack with an out-of-memory condition.
Title App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc
Weaknesses CWE-770
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-08T15:22:10.486Z

Reserved: 2026-05-27T17:50:04.538Z

Link: CVE-2026-49146

cve-icon Vulnrichment

Updated: 2026-07-08T15:21:56.928Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses