Description
Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
Published: 2026-06-25
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out-of-bounds write in the spell-file word-count function. It allows a crafted .spl/.sug pair to cause Vim to write past the bounds of a stack array, corrupting the call frame and crashing the editor. This leads to a denial of service but does not provide remote code execution.

Affected Systems

The problem affects Vim versions earlier than 9.2.0653. Users of any operating system or architecture running an older Vim build and who load spell suggestions from untrusted files are potentially affected. The official vendor fix is to upgrade to release 9.2.0653 or later.

Risk and Exploitability

The CVSS base score of 5.7 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not in the KEV catalog, the likelihood of exploitation is uncertain. The attack vector is inferred to be a local or user-supplied spell file, requiring the user to open a document that triggers spell suggestions; no external network exploitation is documented.

Generated by OpenCVE AI on June 25, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Vim to 9.2.0653 or newer.
  • If an update is not immediately possible, disable spell suggestion features or remove untrusted spell files from the spell directory.
  • Verify that any custom .spl/.sug files come from trusted sources and delete or quarantine unknown files.
  • Consider running Vim with limited permissions or from a sandbox to mitigate impact.

Generated by OpenCVE AI on June 25, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
Title Vim: Out-of-bounds Write in Spell File Word Count
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:34:33.424Z

Reserved: 2026-06-17T00:13:10.650Z

Link: CVE-2026-55693

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:30:15Z

Weaknesses