Skip to main content

Vim EUVDEUVD-2026-39441

| CVE-2026-57454 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-25 GitHub_M
6.8
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Local vector because exploitation requires a crafted file on the local filesystem; user interaction required to open the file; no integrity impact; low confidentiality from bounded heap read; high availability from crash.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Red Hat
MEDIUM
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 17:02 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 16:24 vuln.today
Analysis Generated
Jun 25, 2026 - 16:24 vuln.today

DescriptionCVE.org

Vim is an open source, command line text editor. From 9.2.0320 until 9.2.0679, a crafted undo or swap file can store a virtual-text property whose offset and length point outside the line's property data. When Vim restores or displays such a line it converts the offset into a pointer and reads the virtual text without bounds checking, causing an out-of-bounds read that can crash Vim or disclose adjacent heap memory. This vulnerability is fixed in 9.2.0679.

AnalysisAI

Out-of-bounds heap read in Vim 9.2.0320-9.2.0678 allows a crafted undo or swap file to disclose adjacent heap memory or crash the editor when a victim opens it. The flaw resides in the text property (textprop) subsystem: a maliciously encoded virtual-text property with an oversized tp_text_offset is converted directly to a heap pointer without bounds validation in both the undo-restoration path (um_goto_line) and the display path (get_text_props). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft textprop_T blob with out-of-range tp_text_offset
Delivery
Embed in .un~ undo or swap file
Exploit
Deliver file to target directory
Install
Victim opens associated file in Vim
C2
Vim restores undo history, dereferences crafted offset
Execute
OOB heap read
Impact
Crash (VA:H) or adjacent heap disclosure (VC:L)

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) the target system runs Vim 9.2.0320-9.2.0678 compiled with the persistent_undo feature - standard in major distribution builds, confirmed by the test's CheckFeature persistent_undo guard; (2) a crafted undo file (.FILENAME.un~) or swap file is present on the filesystem at the path Vim will automatically probe when opening the associated base file; (3) the user actively opens that base file in Vim, triggering undo history restoration via um_goto_line() or virtual-text rendering via get_text_props(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.8 accurately characterizes a moderate but not critical real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker embeds a crafted .FILENAME.un~ undo file alongside a legitimate file in a shared repository or archive download; the undo blob contains a single textprop_T entry with tp_id set to -1 (virtual text) and tp_text_offset set to 0x00100000 - far beyond the 34-byte property data. When a developer checks out the repository and opens the file in a vulnerable Vim, Vim automatically loads the undo file, restores the crafted line via um_goto_line(), and dereferences the out-of-range offset as a heap pointer, reading up to tp_len bytes of adjacent heap content (potentially exposing in-memory buffer contents or credentials) or crashing the editor. …
Remediation Vendor-released patch: Vim 9.2.0679, available at https://github.com/vim/vim/releases/tag/v9.2.0679; the underlying fix commit is https://github.com/vim/vim/commit/b3faeecc976d3031d7c0675623516ec60c30f949. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Vim

View all
CVE-2022-3520 CRITICAL POC
9.8 Dec 02

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. Rated critical severity (CVSS 9.8), this vuln

CVE-2022-0729 HIGH POC
8.8 Feb 23

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440. Rated high severity (CVSS 8.8), this

CVE-2026-34714 HIGH POC
8.6 Mar 30

{expr} payload embedded in a modeline to be evaluated even when the protective 'modelineexpr' setting is off (the defaul

CVE-2019-12735 HIGH POC
8.6 Jun 05

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via th

CVE-2021-3968 HIGH POC
8.0 Nov 19

vim is vulnerable to Heap-based Buffer Overflow. Rated high severity (CVSS 8.0), this vulnerability is remotely exploita

CVE-2023-4735 HIGH POC
7.8 Sep 02

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-4781 HIGH POC
7.8 Sep 05

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. Rated high severity (CVSS 7.8), this vulnerab

CVE-2023-4734 HIGH POC
7.8 Sep 02

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846. Rated high severity (CVSS 7.8), this vuln

CVE-2023-4733 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1840. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4750 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1857. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4736 HIGH POC
7.8 Sep 02

Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833. Rated high severity (CVSS 7.8), this vulnerability

CVE-2023-2610 HIGH POC
7.8 May 09

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. Rated high severity (CVSS 7.8), this vuln

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

EUVD-2026-39441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy