Skip to main content

Vim CVE-2026-59857

MEDIUM
Out-of-bounds Write (CWE-787)
2026-07-09 GitHub_M
5.6
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.7 MEDIUM

Local attack vector, high complexity due to required SAL spell file and 8-bit encoding prerequisites, no privileges needed, user must trigger spell suggestions, availability-only impact.

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 23:30 vuln.today

DescriptionCVE.org

Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.

AnalysisAI

Stack buffer overflow in Vim's SAL sound-folding spell engine prior to version 9.2.0725 crashes the editor by writing a null byte one position past the end of a MAXWLEN-element stack buffer in spell_soundfold_sal(). Exploitation requires a user to open Vim with a SAL-based spell file active under a non-multibyte 8-bit encoding and trigger sound-based spell suggestions on a boundary-length word, corrupting the eval_soundfold() stack frame. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Configure Vim with SAL spell file + 8-bit encoding
Delivery
Open or craft document with MAXWLEN-length word
Exploit
Trigger sound-based spell suggestion
Execution
spell_soundfold_sal() writes null byte past stack buffer end
Persist
eval_soundfold() stack frame corrupted
Impact
Vim process crash

Vulnerability AssessmentAI

Exploitation Three simultaneous conditions are required: (1) a SAL-based spell file must be loaded and active in Vim - SAL is a specific sound-folding mechanism in spell files, not all spell files use it, making this a non-default configuration; (2) Vim's encoding must be set to a non-multibyte 8-bit encoding such as latin1 or similar, not UTF-8, which is increasingly the default; (3) a word of exactly MAXWLEN characters must be passed to soundfold(), either directly or via sound-based spell suggestion traversal. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.6 (Medium) accurately reflects the constrained risk profile: AV:L confirms the attack is local to the editor process, AT:P acknowledges specific prerequisites that limit opportunistic exploitation, and VA:H correctly captures the crash impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user opens Vim with a SAL-enabled spell file active (e.g., a language pack using phonetic sound-alike rules) while their encoding is set to a non-multibyte 8-bit value such as latin1, then either manually invokes spell suggestions on a word exactly at the MAXWLEN boundary or opens a crafted document that causes such a word to be processed automatically during spell checking. The off-by-one null write corrupts the eval_soundfold() stack frame, causing Vim to crash. …
Remediation Upgrade to Vim 9.2.0725 or later, which corrects the off-by-one boundary condition in spell_soundfold_sal(). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Vim

View all
CVE-2022-3520 CRITICAL POC
9.8 Dec 02

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. Rated critical severity (CVSS 9.8), this vuln

CVE-2022-0729 HIGH POC
8.8 Feb 23

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440. Rated high severity (CVSS 8.8), this

CVE-2026-34714 HIGH POC
8.6 Mar 30

{expr} payload embedded in a modeline to be evaluated even when the protective 'modelineexpr' setting is off (the defaul

CVE-2019-12735 HIGH POC
8.6 Jun 05

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via th

CVE-2021-3968 HIGH POC
8.0 Nov 19

vim is vulnerable to Heap-based Buffer Overflow. Rated high severity (CVSS 8.0), this vulnerability is remotely exploita

CVE-2023-4735 HIGH POC
7.8 Sep 02

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-4781 HIGH POC
7.8 Sep 05

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. Rated high severity (CVSS 7.8), this vulnerab

CVE-2023-4734 HIGH POC
7.8 Sep 02

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846. Rated high severity (CVSS 7.8), this vuln

CVE-2023-4733 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1840. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4750 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1857. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4736 HIGH POC
7.8 Sep 02

Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833. Rated high severity (CVSS 7.8), this vulnerability

CVE-2023-2610 HIGH POC
7.8 May 09

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. Rated high severity (CVSS 7.8), this vuln

Share

CVE-2026-59857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy