Impact
The vulnerability resides in the dump_prefixes() function of Vim’s spell file handling. A counter that measures traversal depth is not bounded against the fixed-size stack arrays. A maliciously crafted .spl file can force the function to descend arbitrarily deep, causing a stack out‑of‑bounds write and corrupting the call frame. The result is a crash of Vim; the presence of an overflow also raises the possibility of executing arbitrary code if the stack corruption can be controlled.
Affected Systems
Vendor: Vim. Product: vim. Versions: any release prior to 9.2.0662, where the bug is present.
Risk and Exploitability
With a CVSS score of 5.5 the vulnerability is of moderate severity. No EPSS value is reported and it is not listed in CISA’s KEV catalog. The exploit requires the attacker to supply a crafted .spl file that Vim loads during a prefix dump, which is typically a local or file‑based attack. Because the overflow can corrupt the stack, the risk of privilege escalation or remote code execution exists, but exploitation is not guaranteed without additional conditions.
OpenCVE Enrichment
Ubuntu USN