Description
Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the dump_prefixes() function of Vim’s spell file handling. A counter that measures traversal depth is not bounded against the fixed-size stack arrays. A maliciously crafted .spl file can force the function to descend arbitrarily deep, causing a stack out‑of‑bounds write and corrupting the call frame. The result is a crash of Vim; the presence of an overflow also raises the possibility of executing arbitrary code if the stack corruption can be controlled.

Affected Systems

Vendor: Vim. Product: vim. Versions: any release prior to 9.2.0662, where the bug is present.

Risk and Exploitability

With a CVSS score of 5.5 the vulnerability is of moderate severity. No EPSS value is reported and it is not listed in CISA’s KEV catalog. The exploit requires the attacker to supply a crafted .spl file that Vim loads during a prefix dump, which is typically a local or file‑based attack. Because the overflow can corrupt the stack, the risk of privilege escalation or remote code execution exists, but exploitation is not guaranteed without additional conditions.

Generated by OpenCVE AI on June 25, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to 9.2.0662 or later where the issue is fixed.
  • If an upgrade is not immediately possible, refrain from loading or dumping word lists from untrusted spell files.
  • Monitor Vim releases for additional patches and apply them as soon as they become available.

Generated by OpenCVE AI on June 25, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8500-1 Vim vulnerabilities
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
Title Vim: Out-of-bounds Write in Spell File Prefix Dump
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:43:09.878Z

Reserved: 2026-06-17T16:59:42.760Z

Link: CVE-2026-55892

cve-icon Vulnrichment

Updated: 2026-06-26T17:50:54.305Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T15:32:41Z

Links: CVE-2026-55892 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:15:04Z

Weaknesses