Skip to main content

Vim EUVDEUVD-2026-39452

| CVE-2026-55693 MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-25 GitHub_M
5.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local vector because a crafted spell file must reach the filesystem; no attacker privileges needed but active user interaction (spell suggestion) is required to trigger the vulnerable code path.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 17:02 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 16:27 vuln.today
Analysis Generated
Jun 25, 2026 - 16:27 vuln.today

DescriptionCVE.org

Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.

AnalysisAI

Stack out-of-bounds write in Vim's spell suggestion engine allows a crafted .spl/.sug file pair to corrupt the call stack and crash the editor when spell suggestions are invoked. All Vim releases prior to 9.2.0653 are affected, with the flaw in tree_count_words() and sug_filltree() inside src/spellfile.c, where three fixed-size MAXWLEN-element stack arrays are indexed by an unbounded depth counter. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft malicious .spl/.sug file pair with BY_INDEX self-cycle
Delivery
Deliver files to victim's Vim runtime spell directory
Exploit
Victim sets spelllang to crafted language with spell enabled
Install
Victim invokes spell suggestion (z= or spellsuggest())
C2
.sug load triggers tree_count_words() trie walk
Execute
Depth counter exceeds MAXWLEN without bounds check
Impact
Stack OOB write corrupts call frame and crashes editor

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following conditions to be met simultaneously: (1) a crafted `.spl`/`.sug` file pair must be present in a directory on Vim's `runtimepath` - this is a local filesystem delivery requirement, not a remote network attack; (2) the user must have spell checking enabled (`set spell`) and must have configured the crafted spell language (`set spelllang=<malicious-lang>`); (3) the user must actively invoke spell suggestion, either via `z=` in normal mode or by calling `spellsuggest()` - merely having the file present or opening a file with spell enabled is insufficient without the suggestion invocation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.7 (Medium) reflects the realistic exploitation constraints: local attack vector (AV:L) and mandatory active user interaction (UI:A) substantially reduce exploitability despite the High impact across confidentiality, integrity, and availability on the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious `.spl`/`.sug` file pair containing a `BY_INDEX` self-referencing node in the fold-word trie that bypasses Vim's parse-time depth cap but drives `tree_count_words()` to an unbounded depth at runtime. The attacker plants the file pair in the victim's Vim spell directory - for example, via a shared dotfile repository, a compromised plugin manager, or a malicious workspace - and waits for the victim to open a file with spell checking enabled against the crafted language and invoke spell suggestions (via `z=` or `spellsuggest()`), at which point the stack out-of-bounds write crashes the editor and may corrupt adjacent stack frames. …
Remediation Upgrade Vim to version 9.2.0653 or later, confirmed by the upstream tagged release at https://github.com/vim/vim/releases/tag/v9.2.0653 and fix commit a80874d9b84a01040e3d1aef2d4a59e1934dafb7 (https://github.com/vim/vim/commit/a80874d9b84a01040e3d1aef2d4a59e1934dafb7). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Vim

View all
CVE-2022-3520 CRITICAL POC
9.8 Dec 02

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. Rated critical severity (CVSS 9.8), this vuln

CVE-2022-0729 HIGH POC
8.8 Feb 23

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440. Rated high severity (CVSS 8.8), this

CVE-2026-34714 HIGH POC
8.6 Mar 30

{expr} payload embedded in a modeline to be evaluated even when the protective 'modelineexpr' setting is off (the defaul

CVE-2019-12735 HIGH POC
8.6 Jun 05

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via th

CVE-2021-3968 HIGH POC
8.0 Nov 19

vim is vulnerable to Heap-based Buffer Overflow. Rated high severity (CVSS 8.0), this vulnerability is remotely exploita

CVE-2023-4735 HIGH POC
7.8 Sep 02

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-4781 HIGH POC
7.8 Sep 05

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. Rated high severity (CVSS 7.8), this vulnerab

CVE-2023-4734 HIGH POC
7.8 Sep 02

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846. Rated high severity (CVSS 7.8), this vuln

CVE-2023-4733 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1840. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4750 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1857. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4736 HIGH POC
7.8 Sep 02

Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833. Rated high severity (CVSS 7.8), this vulnerability

CVE-2023-2610 HIGH POC
7.8 May 09

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. Rated high severity (CVSS 7.8), this vuln

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

EUVD-2026-39452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy