Description
Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is located in Vim’s get_text_props() function, which reads a stored property count and incorrectly assumes the data length matches the count. When the count is fabricated to be large while the actual buffer contains little data, Vim reads past the end of the line buffer, corrupting memory and resulting in a crash. The flaw is a classic out‑of‑bounds read (CWE‑125) that triggers a denial‑of‑service by crashing the editor.

Affected Systems

Any installation of the Vim text editor older than version 9.2.0670 is affected. The issue was present before the 9.2.0670 release and was addressed in that release. Users running earlier Vim releases should inspect whether they are using autostart or open recent undo files that may contain malicious data.

Risk and Exploitability

With a CVSS base score of 5.3 the risk is moderate. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known operational exploitation. The likely attack vector is local or remote if an attacker can place a crafted undo file in a location where Vim will load it. The flaw is a memory corruption that requires the victim to load the malicious data; it does not provide remote code execution or privilege escalation.

Generated by OpenCVE AI on June 25, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0670 or later to apply the patch that validates property counts.
  • Remove or quarantine any existing undo files that may have been forged with malicious content.
  • Configure Vim to load undo data from secure, trusted locations only, and consider disabling undo file generation if not needed.

Generated by OpenCVE AI on June 25, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 25 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
Title Vim: Out-of-bounds Read in Text Property Count
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T16:04:53.210Z

Reserved: 2026-06-24T13:21:20.730Z

Link: CVE-2026-57451

cve-icon Vulnrichment

Updated: 2026-06-25T16:04:33.828Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T15:28:50Z

Links: CVE-2026-57451 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:15:04Z

Weaknesses