Impact
Vim's terminal snapshot routine reads terminal cells into a buffer without verifying array bounds, a classic case of CWE‑125. When a cell contains a base character plus five combining marks, the libvterm buffer lacks a terminating NUL, causing the copy loop to read beyond the intended six‑element array and write the out‑of‑bounds values into a space reserved for only six characters, which is also an instance of CWE‑787. This out‑of‑bounds read/write leads the editor to crash, interrupting the user session. The flaw does not enable code execution or privilege escalation; its effect is a denial of service.
Affected Systems
All Vim packages prior to v9.2.0565 are affected, regardless of operating system. The vulnerability is triggered only when the :terminal feature is used and a program running inside the terminal emits a cell with five combining marks. Systems employing older Vim builds in terminal mode are at risk; newer builds (v9.2.0565 and later) contain the patch and are not vulnerable.
Risk and Exploitability
The CVSS base score of 6.9 indicates moderate severity. The associated EPSS score of 0.0004 indicates a very low probability of exploitation. Attackers can exploit the flaw by delivering a crafted byte sequence to Vim's terminal, which is a local attack requiring no network access or elevated privileges. The impact is limited to a crash of the editor; no user data is compromised. Because the vulnerability is restricted to the terminal snapshot routine, the attack surface is narrow, and the risk is primarily service disruption that can be permanently eliminated by upgrading Vim.
OpenCVE Enrichment
Ubuntu USN