Skip to main content

Vim EUVDEUVD-2026-39437

| CVE-2026-57455 MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-25 GitHub_M
4.0
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.0 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.0 HIGH

Local-only vector (AV:L), high complexity for required SOFO configuration (AC:H), no privileges needed (PR:N), active user interaction required (UI:R); CIA all High reflecting stack smash potential per CVSS 4.0 vendor assessment.

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 17:02 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 16:23 vuln.today
Analysis Generated
Jun 25, 2026 - 16:23 vuln.today

DescriptionCVE.org

Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.

AnalysisAI

Stack out-of-bounds write in Vim's spell_soundfold_sofo() function (src/spell.c) allows local exploitation when a SOFO-based spell language is active and the soundfold path is triggered with a word exceeding MAXWLEN (254) bytes, corrupting the call frame and crashing the editor with theoretical code execution potential. All Vim releases prior to 9.2.0698 carrying the single-byte SOFO branch are affected; the vendor has released a confirmed fix at v9.2.0698. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted SOFO spell file to local user
Delivery
User loads file in Vim with spell checking enabled
Exploit
Trigger soundfold() on word exceeding 254 bytes
Execution
Unguarded ri index writes past MAXWLEN stack buffer
Persist
Call frame overwritten
Impact
Editor crash or controlled stack smash

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following local conditions simultaneously: Vim must be running on the local system (AV:L - no network vector exists), spell checking must be active (`set spell`), a SOFO-based spell language file must be loaded via `set spelllang` pointing to a dictionary that uses SOFOFROM/SOFOTO directives, and the user must actively trigger a soundfold operation - either via Vim's `soundfold()` function or via sound-based spell suggestion (`z=`) - on a word exceeding MAXWLEN (254) bytes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 4.0 (Medium) accurately reflects the constrained exploitation environment: AV:L restricts the attack to local access, AC:H demands a specific SOFO spell-file configuration, and UI:A requires active user interaction to trigger the soundfold path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious SOFO-based spell file containing SOFOFROM/SOFOTO entries and social-engineers a local user into loading it in Vim with spell checking enabled. When the victim invokes a sound-based spell suggestion (e.g., `z=`) on a word longer than 254 bytes - or when the soundfold() function is triggered programmatically - the unguarded copy loop in spell_soundfold_sofo() writes past the MAXWLEN stack buffer, corrupting the call frame and crashing Vim. …
Remediation Upgrade Vim to version 9.2.0698 or later; this is the vendor-confirmed patched release documented at https://github.com/vim/vim/releases/tag/v9.2.0698 and in security advisory GHSA-q8mh-6qm3-25g4 (https://github.com/vim/vim/security/advisories/GHSA-q8mh-6qm3-25g4). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Vim

View all
CVE-2022-3520 CRITICAL POC
9.8 Dec 02

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. Rated critical severity (CVSS 9.8), this vuln

CVE-2022-0729 HIGH POC
8.8 Feb 23

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440. Rated high severity (CVSS 8.8), this

CVE-2026-34714 HIGH POC
8.6 Mar 30

{expr} payload embedded in a modeline to be evaluated even when the protective 'modelineexpr' setting is off (the defaul

CVE-2019-12735 HIGH POC
8.6 Jun 05

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via th

CVE-2021-3968 HIGH POC
8.0 Nov 19

vim is vulnerable to Heap-based Buffer Overflow. Rated high severity (CVSS 8.0), this vulnerability is remotely exploita

CVE-2023-4735 HIGH POC
7.8 Sep 02

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-4781 HIGH POC
7.8 Sep 05

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. Rated high severity (CVSS 7.8), this vulnerab

CVE-2023-4734 HIGH POC
7.8 Sep 02

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846. Rated high severity (CVSS 7.8), this vuln

CVE-2023-4733 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1840. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4750 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1857. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4736 HIGH POC
7.8 Sep 02

Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833. Rated high severity (CVSS 7.8), this vulnerability

CVE-2023-2610 HIGH POC
7.8 May 09

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. Rated high severity (CVSS 7.8), this vuln

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

EUVD-2026-39437 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy