Description
Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
Published: 2026-06-25
Score: 4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vim’s spell_soundfold_sofo() function copies characters from a spell file’s SOFO map into a caller‑supplied buffer without checking the buffer length. When a word longer than the 4‑byte MAXWLEN limit is processed, the function writes past the end of the stack buffer, corrupting the call frame and causing the editor to crash. The vulnerability is a classic stack buffer overflow (CWE‑787) and results in a denial of service but not a code execution flaw.

Affected Systems

The flaw affects all Vim installations running a version prior to 9.2.0698. The official fix is included in Vim release 9.2.0698 and all later versions. Systems using older releases are affected regardless of platform or configuration.

Risk and Exploitability

With a CVSS score of 4 the vulnerability is considered medium severity. The exploit requires local access to the Vim process and sufficient input to trigger the overflow; no known network‑based attack vector is documented. EPSS data is unavailable, and the issue is not listed in CISA’s KEV catalog, indicating limited known exploitation. The risk therefore remains moderate, with the primary consequence being application instability and potential denial of service for users.

Generated by OpenCVE AI on June 25, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Vim version 9.2.0698 or newer
  • If an upgrade cannot be performed immediately, avoid using the spell feature with SOFO languages by disabling spell (set 'nospell') or removing the relevant spell file from Vim’s runtime
  • Ensure that any Vim instance running with privileged users or executed from untrusted input is isolated, or use restricted mode (vim -r) to limit the impact of potential stack corruption

Generated by OpenCVE AI on June 25, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
Title Vim: Stack out-of-bounds write in `spell_soundfold_sofo()` via an over-length `soundfold()` argument
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 4, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Vim Vim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T23:30:00.892Z

Reserved: 2026-06-24T13:21:20.730Z

Link: CVE-2026-57455

cve-icon Vulnrichment

Updated: 2026-06-25T23:29:56.417Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:15:04Z

Weaknesses