Description
Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.
Published: 2026-06-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vim's terminal snapshot routine reads terminal cells into a buffer without verifying array bounds, a classic case of CWE‑125. When a cell contains a base character plus five combining marks, the libvterm buffer lacks a terminating NUL, causing the copy loop to read beyond the intended six‑element array and write the out‑of‑bounds values into a space reserved for only six characters, which is also an instance of CWE‑787. This out‑of‑bounds read/write leads the editor to crash, interrupting the user session. The flaw does not enable code execution or privilege escalation; its effect is a denial of service.

Affected Systems

All Vim packages prior to v9.2.0565 are affected, regardless of operating system. The vulnerability is triggered only when the :terminal feature is used and a program running inside the terminal emits a cell with five combining marks. Systems employing older Vim builds in terminal mode are at risk; newer builds (v9.2.0565 and later) contain the patch and are not vulnerable.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate severity. The associated EPSS score of 0.0004 indicates a very low probability of exploitation. Attackers can exploit the flaw by delivering a crafted byte sequence to Vim's terminal, which is a local attack requiring no network access or elevated privileges. The impact is limited to a crash of the editor; no user data is compromised. Because the vulnerability is restricted to the terminal snapshot routine, the attack surface is narrow, and the risk is primarily service disruption that can be permanently eliminated by upgrading Vim.

Generated by OpenCVE AI on June 13, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0565 or later to apply the bounds‑check fix.
  • Temporarily disable the :terminal feature or limit its use to trusted users until the upgrade can be performed.
  • Restrict execution of external programs inside Vim’s terminal windows by configuring file permissions or sandboxing the environment to prevent malicious output.

Generated by OpenCVE AI on June 13, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8451-1 Vim vulnerabilities
History

Mon, 15 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}


Sat, 13 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.
Title Vim: Out-of-bounds Read in Terminal Screen Snapshot
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T19:38:46.065Z

Reserved: 2026-06-08T18:41:27.725Z

Link: CVE-2026-52859

cve-icon Vulnrichment

Updated: 2026-06-11T19:38:07.357Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T19:16:47.627

Modified: 2026-06-15T13:12:47.370

Link: CVE-2026-52859

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-11T18:33:09Z

Links: CVE-2026-52859 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T02:00:08Z

Weaknesses