Skip to main content

Vim CVE-2026-52859

| EUVD-2026-36283 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-11 GitHub_M
Information Disclosure Buffer Overflow Vim
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.2 MEDIUM

Network delivery is plausible via a networked terminal program, but AC:H and UI:R reflect the required precondition of an active :terminal session rendering attacker-controlled combining characters.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 11, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 11, 2026 - 19:31 vuln.today
Analysis Generated
Jun 11, 2026 - 19:31 vuln.today

DescriptionCVE.org

Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots - a base character plus five combining marks - the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.

AnalysisAI

Out-of-bounds read in Vim's built-in terminal emulator (:terminal feature) prior to version 9.2.0565 allows a program running inside a :terminal window to crash Vim by outputting crafted Unicode combining characters that exhaust all six libvterm cell slots, causing the unguarded loop in update_snapshot() to walk past the fixed-size array and append out-of-bounds memory into the scrollback buffer. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog and no public exploit code has been identified, placing this in the lower-urgency tier despite the CVSS 4.0 score of 6.9. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts Unicode combining-character sequence
Delivery
Sequence delivered via program running in Vim :terminal
Exploit
libvterm fills cell.chars[] without NUL terminator
Execution
update_snapshot() loop reads past six-element array boundary
Persist
Out-of-bounds bytes appended to scrollback buffer
Impact
Vim process crashes
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to be running a Vim build compiled with `+terminal` support and to have an active `:terminal` window open in which a program is rendering attacker-controlled output. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reporter-assigned CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L, score 6.9) characterizes this as a zero-friction, network-reachable, unauthenticated crash - a characterization that is technically defensible but contextually optimistic. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer uses Vim's `:terminal` to run an SSH session connected to a remote server that an attacker controls or has compromised. The attacker's server outputs a short byte sequence - a base Unicode character followed by five combining marks - which libvterm renders by filling all six `cell.chars[]` slots without a NUL terminator. …
Remediation Upgrade Vim to version 9.2.0565 or later, which is confirmed by the vendor release tag at https://github.com/vim/vim/releases/tag/v9.2.0565 and the specific one-line fix in commit 63680c6d3d52477817b49cd1a66e7aabe8a7aa19. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47162 HIGH
7.3 Jun 11

Vimscript code injection in the netrw plugin shipped with Vim before 9.2.0495 allows attackers who can plant or have a v
CVE-2026-47167 MEDIUM
5.1 Jun 11

Code injection via unsanitized step-definition patterns in Vim's cucumber filetype plugin allows arbitrary Ruby and shel

Share

CVE-2026-52859 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy