Description
Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
Published: 2026-05-08
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vim contains a heap buffer overflow in the function that reads a spell file when UTF‑8 is enabled. A crafted spell file contains a length field that overflows a signed 32‑bit multiplication, causing an excessively small buffer allocation. The subsequent write loop overruns this buffer and corrupts heap memory. Failure to contain the corruption could give an attacker the ability to run arbitrary code, although the CVE does not document confirmed exploitation. The bug is limited to the spell file loading routine, so it does not grant direct arbitrary code execution for the editor itself, but the corrupted heap can lead to crashes or exploit attempts by a savvy attacker.

Affected Systems

All installations of the Vim editor built from the source tree whose version is older than 9.2.0450 are affected. The vulnerability resides in the vim:vim product and can be triggered on any platform where Vim runs with spell support enabled.

Risk and Exploitability

The security rating is a CVSS score of 6.6, indicating a moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely to be local or require the attacker to supply a malicious spell file; a modeline in a text file can set the spell language option and force Vim to load an embedded malicious compiled spell file from the runtime path. If an attacker can persuade a user to open such a file, the overflow may lead to heap corruption and potentially arbitrary code execution. No public exploitation has been reported, but the potential for memory corruption warrants prompt remediation.

Generated by OpenCVE AI on May 9, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to 9.2.0450 or newer to apply the official fix.
  • If upgrading is not immediately possible, disable spellfile loading from modelines by adding :set nospelllang in a setlocal or by ensuring the 'spelllang' option cannot be altered from user files.
  • Limit the runtimepath used by Vim or remove any non‑trusted directories so that a malicious spell file cannot be located and loaded by the editor.

Generated by OpenCVE AI on May 9, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
Title Vim: Heap Buffer Overflow in spell file loading
Weaknesses CWE-122
CWE-190
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:42:35.097Z

Reserved: 2026-05-08T20:08:17.209Z

Link: CVE-2026-45130

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:40.053

Modified: 2026-05-08T23:16:40.053

Link: CVE-2026-45130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:30:21Z

Weaknesses