Description
Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.
Published: 2026-03-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Update
AI Analysis

Impact

Vim’s NFA regex compiler contains a null pointer dereference that leads to a segmentation fault. When a regular expression contains a character range whose endpoint includes a combining character, such as [0-0\u05bb], the compiler emits composing bytes as separate NFA states. This corrupts the NFA postfix stack, causing the NFA_START_COLL state’s out1 pointer to be NULL. A later traversal for look‑behind estimation dereferences state->out1->out without a NULL check, producing a crash. The impact is a denial of service via an application crash; no remote code execution or privilege escalation is indicated. The weakness is identified as CWE-476.

Affected Systems

The vulnerability affects Vim versions from 9.1.0011 up through 9.2.0136. Affected vendors include vim:vim. Users running any of these versions are at risk until they upgrade.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, while the EPSS score is below 1%, implying a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires delivering a crafted regular expression to Vim, which is most likely a local attack vector; however, if Vim is invoked on untrusted content with elevated privileges, the resulting crash could compromise availability for that session. The official fix is to upgrade to Vim 9.2.0137 or later.

Generated by OpenCVE AI on March 18, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0137 or a later release.
  • Verify the installed Vim version with `vim --version` before applying the patch.

Generated by OpenCVE AI on March 18, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

Sat, 14 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 12 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.
Title NFA regex engine NULL pointer dereference affects Vim < 9.2.0137
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:16:31.836Z

Reserved: 2026-03-11T14:47:05.686Z

Link: CVE-2026-32249

cve-icon Vulnrichment

Updated: 2026-03-13T16:16:24.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T20:16:05.523

Modified: 2026-03-18T11:50:06.000

Link: CVE-2026-32249

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-12T19:17:23Z

Links: CVE-2026-32249 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:54:55Z

Weaknesses