Skip to main content

Vim CVE-2026-57451

| EUVDEUVD-2026-39449 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-25 GitHub_M
6.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
MEDIUM
qualitative
NVD
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
vuln.today AI
5.3 MEDIUM

Local delivery via crafted undo file demands precise binary manipulation (AC:H) and user-initiated load (UI:R); OOB read crashes Vim (A:H) with marginal heap-byte exposure (C:L) and no integrity impact.

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

4
CVSS changed
Jun 26, 2026 - 04:22 NVD
5.3 (MEDIUM) 6.1 (MEDIUM)
Patch available
Jun 25, 2026 - 17:02 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 16:25 vuln.today
Analysis Generated
Jun 25, 2026 - 16:25 vuln.today

DescriptionNVD

Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.

AnalysisAI

Out-of-bounds read in Vim's text property subsystem allows a crafted undo file to crash the editor and potentially disclose adjacent heap memory. All Vim releases prior to 9.2.0670 are affected; the vulnerability is reachable whenever a user loads a malicious undo file with the persistent-undo feature compiled in and enabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft binary undo file with prop_count=0xFFFF
Delivery
Place file in target project directory
Exploit
User opens Vim with undofile option enabled
Install
Vim auto-loads crafted undo file on buffer open
C2
get_text_props() reads inflated count without bounds check
Execute
Out-of-bounds heap read past line buffer
Impact
Crash or adjacent memory disclosure

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) the target Vim binary must be compiled with +persistent_undo support (CheckFeature persistent_undo guards the test); (2) the 'undofile' option must be set, or the user must manually execute ':rundo <crafted_file>'; (3) at least one text property must exist in the buffer (b_has_textprop flag set) so that get_text_props() does not return early before reaching the malicious count; and (4) the attacker must deliver a precisely crafted binary undo file to a location Vim will load. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.3 (Medium) with vector AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H correctly characterises a local, user-interaction-dependent, high-complexity attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker places a crafted .un~ undo file (with prop_count=0xFFFF encoded as two bytes while carrying only ~34 bytes of actual property data) in a project directory, then persuades a developer to open that directory in Vim with persistent undo enabled. On opening any previously edited file, Vim auto-loads the undo file, restores the malicious line, and when a subsequent text-property consumer (such as prop_list()) traverses the inflated count, it reads far past the line buffer, crashing Vim and potentially leaking heap contents. …
Remediation Upgrade to Vim 9.2.0670 or later; the patch commit b2338ca90643e2f01ecb6547c1172716aaec4f79 and release tag at https://github.com/vim/vim/releases/tag/v9.2.0670 are both confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Vim

View all
CVE-2022-3520 CRITICAL POC
9.8 Dec 02

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. Rated critical severity (CVSS 9.8), this vuln

CVE-2022-0729 HIGH POC
8.8 Feb 23

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440. Rated high severity (CVSS 8.8), this

CVE-2026-34714 HIGH POC
8.6 Mar 30

{expr} payload embedded in a modeline to be evaluated even when the protective 'modelineexpr' setting is off (the defaul

CVE-2019-12735 HIGH POC
8.6 Jun 05

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via th

CVE-2021-3968 HIGH POC
8.0 Nov 19

vim is vulnerable to Heap-based Buffer Overflow. Rated high severity (CVSS 8.0), this vulnerability is remotely exploita

CVE-2023-4735 HIGH POC
7.8 Sep 02

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-4781 HIGH POC
7.8 Sep 05

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. Rated high severity (CVSS 7.8), this vulnerab

CVE-2023-4734 HIGH POC
7.8 Sep 02

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846. Rated high severity (CVSS 7.8), this vuln

CVE-2023-4733 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1840. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4750 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1857. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4736 HIGH POC
7.8 Sep 02

Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833. Rated high severity (CVSS 7.8), this vulnerability

CVE-2023-2610 HIGH POC
7.8 May 09

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. Rated high severity (CVSS 7.8), this vuln

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

CVE-2026-57451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy