CVE-2026-55892 - Vulnerability Details

Description

Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.

Published: 2026-06-25

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

vim

affected

Version	Status	Constraints
`< 9.2.0662`	affected	—

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f
https://github.com/vim/vim/releases/tag/v9.2.0662
https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h

History

Thu, 25 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
Title		Vim: Out-of-bounds Write in Spell File Prefix Dump
Weaknesses		CWE-787
References		https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f https://github.com/vim/vim/releases/tag/v9.2.0662 https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-25T15:32:41.238Z

Updated: 2026-06-25T15:32:41.238Z

Reserved: 2026-06-17T16:59:42.760Z

Link: CVE-2026-55892

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-787
Out-of-bounds Write

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object