Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0753
Vulnerability from certfr_avis - Published: 2026-06-15 - Updated: 2026-06-15
De multiples vulnérabilités ont été découvertes dans Microsoft Azure. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | azl3 sqlite 3.44.0-3 versions antérieures à 3.44.0-4 | ||
| Microsoft | N/A | azl3 elixir 1.16.1-1 versions antérieures à 1.16.1-2 | ||
| Microsoft | N/A | azl3 ldns 1.8.3-2 versions antérieures à 1.8.3-3 | ||
| Microsoft | N/A | azl3 rust 1.75.0-29 versions antérieures à 1.75.0-30 | ||
| Microsoft | N/A | azl3 lldpd 1.0.17-2 versions antérieures à 1.0.22-1 | ||
| Microsoft | N/A | azl3 python3 3.12.9-11 versions antérieures à 3.12.9-13 | ||
| Microsoft | N/A | azl3 rust 1.90.0-8 versions antérieures à 1.90.0-9 | ||
| Microsoft | N/A | azl3 vim 9.2.0488-1 versions antérieures à 9.2.0620-1 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 sqlite 3.44.0-3 versions ant\u00e9rieures \u00e0 3.44.0-4",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 elixir 1.16.1-1 versions ant\u00e9rieures \u00e0 1.16.1-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 ldns 1.8.3-2 versions ant\u00e9rieures \u00e0 1.8.3-3",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 rust 1.75.0-29 versions ant\u00e9rieures \u00e0 1.75.0-30",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 lldpd 1.0.17-2 versions ant\u00e9rieures \u00e0 1.0.22-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 python3 3.12.9-11 versions ant\u00e9rieures \u00e0 3.12.9-13",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 rust 1.90.0-8 versions ant\u00e9rieures \u00e0 1.90.0-9",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 vim 9.2.0488-1 versions ant\u00e9rieures \u00e0 9.2.0620-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-46433",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46433"
},
{
"name": "CVE-2026-10846",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-10846"
},
{
"name": "CVE-2026-47162",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47162"
},
{
"name": "CVE-2026-11822",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11822"
},
{
"name": "CVE-2026-52858",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52858"
},
{
"name": "CVE-2026-49762",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-49762"
},
{
"name": "CVE-2026-7774",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7774"
},
{
"name": "CVE-2026-11824",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11824"
},
{
"name": "CVE-2026-40034",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40034"
},
{
"name": "CVE-2026-47167",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47167"
},
{
"name": "CVE-2026-52859",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52859"
},
{
"name": "CVE-2026-52860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52860"
}
],
"initial_release_date": "2026-06-15T00:00:00",
"last_revision_date": "2026-06-15T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0753",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-15T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Azure. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure",
"vendor_advisories": [
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-47162",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47162"
},
{
"published_at": "2026-05-31",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-40034",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40034"
},
{
"published_at": "2026-06-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-10846",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10846"
},
{
"published_at": "2026-06-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-11822",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11822"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-47167",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47167"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52860",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52860"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52858",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52858"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-49762",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49762"
},
{
"published_at": "2026-06-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-11824",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11824"
},
{
"published_at": "2026-06-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-7774",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7774"
},
{
"published_at": "2026-06-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46433",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46433"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52859",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52859"
}
]
}
CVE-2026-10846 (GCVE-0-2026-10846)
Vulnerability from cvelistv5 – Published: 2026-06-10 06:37 – Updated: 2026-06-10 14:45
VLAI
EPSS
Title
Insufficient verification that responses belong to a query
Summary
NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | ldns |
Affected:
1.2.0 , < 1.9.1
(semver)
|
Date Public
2026-06-10 00:00
Credits
Pablo Ruiz from 'codecome.ai'
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-10T11:15:23.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/10/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10846",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T14:43:35.371858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T14:45:59.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ldns",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "1.9.1",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pablo Ruiz from \u0027codecome.ai\u0027"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Applications directly or indirectly using the ldns_send_buffer function for (stub) resolving"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T14:28:54.993Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/ldns/CVE-2026-10846.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 1.9.2."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-14T00:00:00.000Z",
"value": "Issue reported by Pablo Ruiz"
},
{
"lang": "en",
"time": "2026-06-02T00:00:00.000Z",
"value": "NLnet Labs shares patch"
},
{
"lang": "en",
"time": "2026-06-02T00:00:00.000Z",
"value": "Pablo Ruiz verifies patch"
},
{
"lang": "en",
"time": "2026-06-10T00:00:00.000Z",
"value": "Fix released with version 1.9.2"
}
],
"title": "Insufficient verification that responses belong to a query",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-10846",
"datePublished": "2026-06-10T06:37:59.538Z",
"dateReserved": "2026-06-04T12:06:54.996Z",
"dateUpdated": "2026-06-10T14:45:59.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11822 (GCVE-0-2026-11822)
Vulnerability from cvelistv5 – Published: 2026-06-09 19:08 – Updated: 2026-06-09 20:02
VLAI
EPSS
Title
SQLite before 3.53.2 Memory Corruption in FTS5 Extension
Summary
SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://sqlite.org/src/info/061febcf41ca | patch |
| https://sqlite.org/src/info/4a5ad516ea93 | patch |
| https://sqlite.org/releaselog/3_53_2.html | release-notes |
| https://www.vulncheck.com/advisories/sqlite-befor… | third-party-advisory |
Date Public
2026-06-09 19:10
Credits
Ashish Kunwar (@D0rkerDevil)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11822",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T20:01:49.623614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T20:02:08.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://sqlite.org/",
"defaultStatus": "unaffected",
"platforms": [
"All platforms where SQLITE_ENABLE_FTS5 is defined"
],
"product": "SQLite",
"vendor": "SQLite",
"versions": [
{
"lessThan": "3.53.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ashish Kunwar (@D0rkerDevil)"
}
],
"datePublic": "2026-06-09T19:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.\u003c/p\u003e"
}
],
"value": "SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:08:31.019Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://sqlite.org/src/info/061febcf41ca"
},
{
"tags": [
"patch"
],
"url": "https://sqlite.org/src/info/4a5ad516ea93"
},
{
"tags": [
"release-notes"
],
"url": "https://sqlite.org/releaselog/3_53_2.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/sqlite-before-memory-corruption-in-fts5-extension"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQLite before 3.53.2 Memory Corruption in FTS5 Extension"
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-11822",
"datePublished": "2026-06-09T19:08:31.019Z",
"dateReserved": "2026-06-09T18:03:57.669Z",
"dateUpdated": "2026-06-09T20:02:08.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11824 (GCVE-0-2026-11824)
Vulnerability from cvelistv5 – Published: 2026-06-09 19:21 – Updated: 2026-06-09 19:41
VLAI
EPSS
Title
SQLite before 3.53.2 Heap Buffer Overflow via FTS5 fts5ChunkIterate
Summary
SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://sqlite.org/src/info/061febcf41ca | patch |
| https://sqlite.org/src/info/4a5ad516ea93 | patch |
| https://sqlite.org/releaselog/3_53_2.html | release-notes |
| https://www.vulncheck.com/advisories/sqlite-befor… | third-party-advisory |
Date Public
2026-06-09 19:30
Credits
Ashish Kunwar (@D0rkerDevil)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11824",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:41:10.263986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:41:18.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://sqlite.org/",
"defaultStatus": "unaffected",
"platforms": [
"All platforms where SQLITE_ENABLE_FTS5 is defined"
],
"product": "SQLite",
"vendor": "SQLite",
"versions": [
{
"lessThan": "3.53.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ashish Kunwar (@D0rkerDevil)"
}
],
"datePublic": "2026-06-09T19:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.\u003c/p\u003e"
}
],
"value": "SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:21:42.603Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://sqlite.org/src/info/061febcf41ca"
},
{
"tags": [
"patch"
],
"url": "https://sqlite.org/src/info/4a5ad516ea93"
},
{
"tags": [
"release-notes"
],
"url": "https://sqlite.org/releaselog/3_53_2.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/sqlite-before-heap-buffer-overflow-via-fts5-fts5chunkiterate"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQLite before 3.53.2 Heap Buffer Overflow via FTS5 fts5ChunkIterate"
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-11824",
"datePublished": "2026-06-09T19:21:42.603Z",
"dateReserved": "2026-06-09T19:11:14.440Z",
"dateUpdated": "2026-06-09T19:41:18.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40034 (GCVE-0-2026-40034)
Vulnerability from cvelistv5 – Published: 2026-05-26 14:08 – Updated: 2026-05-28 16:56
VLAI
EPSS
Title
gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule
Summary
gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/GitoxideLabs/gitoxide/security… | vendor-advisory |
| https://github.com/GitoxideLabs/gitoxide/commit/6… | patch |
| https://github.com/GitoxideLabs/gitoxide/commit/d… | patch |
| https://red.anthropic.com/2026/cvd/findings/ANT-2… | third-party-advisory |
| https://www.vulncheck.com/advisories/gitoxide-com… | third-party-advisory |
Impacted products
Date Public
2026-04-25 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40034",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:00:27.629890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:07:43.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f26g-jm89-4g65"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:cargo/gitoxide",
"product": "gitoxide",
"vendor": "gitoxide",
"versions": [
{
"lessThan": "0.5.21",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.5.21",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:cargo/gix-submodule",
"product": "gix-submodule",
"vendor": "gitoxide",
"versions": [
{
"lessThan": "0.29.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.29.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:cargo/gix",
"product": "gix",
"vendor": "gitoxide",
"versions": [
{
"lessThan": "0.84.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.84.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:56:58.116Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GHSA Advisory GHSA-f26g-jm89-4g65",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f26g-jm89-4g65"
},
{
"name": "https://github.com/GitoxideLabs/gitoxide/commit/6a2e6a436f76c8bbf2487f9967413a51356667a0",
"tags": [
"patch"
],
"url": "https://github.com/GitoxideLabs/gitoxide/commit/6a2e6a436f76c8bbf2487f9967413a51356667a0"
},
{
"name": "https://github.com/GitoxideLabs/gitoxide/commit/dd5c18d9e526e8de462fa40aa047acd097cfa7dc",
"tags": [
"patch"
],
"url": "https://github.com/GitoxideLabs/gitoxide/commit/dd5c18d9e526e8de462fa40aa047acd097cfa7dc"
},
{
"name": "Anthropic CVD Finding ANT-2026-6SNS6KMP",
"tags": [
"third-party-advisory"
],
"url": "https://red.anthropic.com/2026/cvd/findings/ANT-2026-6SNS6KMP"
},
{
"name": "VulnCheck Advisory: gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/gitoxide-command-injection-via-partial-gitmodules-override-in-gix-submodule"
}
],
"title": "gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-40034",
"datePublished": "2026-05-26T14:08:48.264Z",
"dateReserved": "2026-04-08T13:36:56.793Z",
"dateUpdated": "2026-05-28T16:56:58.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46433 (GCVE-0-2026-46433)
Vulnerability from cvelistv5 – Published: 2026-06-09 22:49 – Updated: 2026-06-10 18:12
VLAI
EPSS
Title
lldpd: Heap OOB Read in VLAN Decapsulation memmove
Summary
lldpd is an implementation of IEEE 802.1ab (LLDP). Prior to version 1.0.22, lldpd_decode() in src/daemon/lldpd.c strips 802.1Q VLAN tags from received Ethernet frames by calling memmove() to shift the frame payload 4 bytes left. The third argument (byte count) is s - 2 * ETHER_ADDR_LEN but should be s - 2 * ETHER_ADDR_LEN - 4, causing a 4-byte heap buffer over-read past the malloc(h_mtu) allocation when the received frame size equals the interface MTU. This issue has been patched in version 1.0.22.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/lldpd/lldpd/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/lldpd/lldpd/pull/787 | x_refsource_MISC |
| https://github.com/lldpd/lldpd/commit/ca931be63a9… | x_refsource_MISC |
| https://github.com/lldpd/lldpd/releases/tag/1.0.22 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:12:17.598816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:12:30.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lldpd",
"vendor": "lldpd",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.22"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lldpd is an implementation of IEEE 802.1ab (LLDP). Prior to version 1.0.22, lldpd_decode() in src/daemon/lldpd.c strips 802.1Q VLAN tags from received Ethernet frames by calling memmove() to shift the frame payload 4 bytes left. The third argument (byte count) is s - 2 * ETHER_ADDR_LEN but should be s - 2 * ETHER_ADDR_LEN - 4, causing a 4-byte heap buffer over-read past the malloc(h_mtu) allocation when the received frame size equals the interface MTU. This issue has been patched in version 1.0.22."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T22:49:02.749Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lldpd/lldpd/security/advisories/GHSA-2g8p-2h3j-63m3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lldpd/lldpd/security/advisories/GHSA-2g8p-2h3j-63m3"
},
{
"name": "https://github.com/lldpd/lldpd/pull/787",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lldpd/lldpd/pull/787"
},
{
"name": "https://github.com/lldpd/lldpd/commit/ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lldpd/lldpd/commit/ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6"
},
{
"name": "https://github.com/lldpd/lldpd/releases/tag/1.0.22",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lldpd/lldpd/releases/tag/1.0.22"
}
],
"source": {
"advisory": "GHSA-2g8p-2h3j-63m3",
"discovery": "UNKNOWN"
},
"title": "lldpd: Heap OOB Read in VLAN Decapsulation memmove"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46433",
"datePublished": "2026-06-09T22:49:02.749Z",
"dateReserved": "2026-05-13T22:18:22.830Z",
"dateUpdated": "2026-06-10T18:12:30.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47162 (GCVE-0-2026-47162)
Vulnerability from cvelistv5 – Published: 2026-06-11 18:32 – Updated: 2026-06-12 12:47
VLAI
EPSS
Title
Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name
Summary
Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/vim/vim/security/advisories/GH… | x_refsource_CONFIRM |
| https://github.com/vim/vim/commit/f08ab2f4d7d2947… | x_refsource_MISC |
| https://github.com/vim/vim/releases/tag/v9.2.0495 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T03:55:42.649076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:47:52.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vim",
"vendor": "vim",
"versions": [
{
"status": "affected",
"version": "\u003c 9.2.0495"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:32:14.471Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c"
},
{
"name": "https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b"
},
{
"name": "https://github.com/vim/vim/releases/tag/v9.2.0495",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/releases/tag/v9.2.0495"
}
],
"source": {
"advisory": "GHSA-crm5-rh6j-2c7c",
"discovery": "UNKNOWN"
},
"title": "Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47162",
"datePublished": "2026-06-11T18:32:14.471Z",
"dateReserved": "2026-05-18T21:25:34.496Z",
"dateUpdated": "2026-06-12T12:47:52.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47167 (GCVE-0-2026-47167)
Vulnerability from cvelistv5 – Published: 2026-06-11 18:31 – Updated: 2026-06-12 12:47
VLAI
EPSS
Title
Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex
Summary
Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/vim/vim/security/advisories/GH… | x_refsource_CONFIRM |
| https://github.com/vim/vim/commit/a65a52d684bc585… | x_refsource_MISC |
| https://github.com/vim/vim/releases/tag/v9.2.0496 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T03:55:41.579381Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:47:36.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vim",
"vendor": "vim",
"versions": [
{
"status": "affected",
"version": "\u003c 9.2.0496"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository\u0027s features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:31:44.286Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9"
},
{
"name": "https://github.com/vim/vim/commit/a65a52d684bc58535ad28a4ae824d22e76399934",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/commit/a65a52d684bc58535ad28a4ae824d22e76399934"
},
{
"name": "https://github.com/vim/vim/releases/tag/v9.2.0496",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/releases/tag/v9.2.0496"
}
],
"source": {
"advisory": "GHSA-4473-94jm-w5x9",
"discovery": "UNKNOWN"
},
"title": "Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47167",
"datePublished": "2026-06-11T18:31:44.286Z",
"dateReserved": "2026-05-18T21:25:34.497Z",
"dateUpdated": "2026-06-12T12:47:36.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49762 (GCVE-0-2026-49762)
Vulnerability from cvelistv5 – Published: 2026-06-09 14:04 – Updated: 2026-06-10 04:43
VLAI
EPSS
Title
Unbounded integer parsing in the Version module enables CPU and memory exhaustion denial of service
Summary
Uncontrolled Resource Consumption vulnerability in the Elixir standard library's Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion.
The version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required.
This is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata.
This vulnerability is associated with program files lib/version.ex and program routines 'Elixir.Version.Parser':parse_digits/2.
This issue affects Elixir: from 1.5.0 before 1.20.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-lang/elixir/security/ad… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49762.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49762 | related |
| https://github.com/elixir-lang/elixir/commit/c644… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-lang | elixir |
Affected:
1.5.0 , < 1.20.1
(semver)
cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:* |
|
| elixir-lang | elixir |
Affected:
63e186aea94395897dc4964d82d250130c01ec25 , < c64417d72fd5c7d09e963ca3ac5fa2b140978d9e
(git)
cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:* |
Credits
Peter Ullrich
José Valim
Eric Meadows-Jönsson
Jonatan Männchen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:48:56.343391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:49:07.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Version\u0027",
"\u0027Elixir.Version.Parser\u0027"
],
"packageName": "elixir-lang/elixir",
"packageURL": "pkg:otp/elixir?repository_url=https:%2F%2Fgithub.com%2Felixir-lang%2Felixir\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Felixir-lang%2Felixir.git",
"product": "elixir",
"programFiles": [
"lib/version.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Version\u0027:parse/1"
},
{
"name": "\u0027Elixir.Version\u0027:parse!/1"
},
{
"name": "\u0027Elixir.Version\u0027:match?/3"
},
{
"name": "\u0027Elixir.Version\u0027:compare/2"
},
{
"name": "\u0027Elixir.Version\u0027:parse_requirement/1"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:parse_version/2"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:parse_digits/2"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:require_digits/1"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:convert_parts_to_integer/2"
}
],
"repo": "https://github.com/elixir-lang/elixir",
"vendor": "elixir-lang",
"versions": [
{
"lessThan": "1.20.1",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Version\u0027",
"\u0027Elixir.Version.Parser\u0027"
],
"packageName": "elixir-lang/elixir",
"packageURL": "pkg:github/elixir-lang/elixir",
"product": "elixir",
"programFiles": [
"lib/elixir/lib/version.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Version\u0027:parse/1"
},
{
"name": "\u0027Elixir.Version\u0027:parse!/1"
},
{
"name": "\u0027Elixir.Version\u0027:match?/3"
},
{
"name": "\u0027Elixir.Version\u0027:compare/2"
},
{
"name": "\u0027Elixir.Version\u0027:parse_requirement/1"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:parse_version/2"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:parse_digits/2"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:require_digits/1"
},
{
"name": "\u0027Elixir.Version.Parser\u0027:convert_parts_to_integer/2"
}
],
"repo": "https://github.com/elixir-lang/elixir.git",
"vendor": "elixir-lang",
"versions": [
{
"lessThan": "c64417d72fd5c7d09e963ca3ac5fa2b140978d9e",
"status": "affected",
"version": "63e186aea94395897dc4964d82d250130c01ec25",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.20.1",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Eric Meadows-J\u00f6nsson"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in the Elixir standard library\u0027s \u003ctt\u003eVersion\u003c/tt\u003e module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion.\u003c/p\u003e\u003cp\u003eThe version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (\u003ctt\u003eString.to_integer/1\u003c/tt\u003e, i.e. \u003ctt\u003e:erlang.binary_to_integer/1\u003c/tt\u003e) that pins a BEAM scheduler, and a larger component raises an uncaught \u003ctt\u003eSystemLimitError\u003c/tt\u003e that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required.\u003c/p\u003e\u003cp\u003eThis is reachable from the public entry points \u003ctt\u003eVersion.parse/1\u003c/tt\u003e, \u003ctt\u003eVersion.parse!/1\u003c/tt\u003e, \u003ctt\u003eVersion.match?/3\u003c/tt\u003e, \u003ctt\u003eVersion.compare/2\u003c/tt\u003e, and \u003ctt\u003eVersion.parse_requirement/1\u003c/tt\u003e, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/version.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Version.Parser\u0027:parse_digits/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Elixir: from 1.5.0 before 1.20.1.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in the Elixir standard library\u0027s Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion.\n\nThe version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required.\n\nThis is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata.\n\nThis vulnerability is associated with program files lib/version.ex and program routines \u0027Elixir.Version.Parser\u0027:parse_digits/2.\n\nThis issue affects Elixir: from 1.5.0 before 1.20.1."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T04:43:08.517Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-lang/elixir/security/advisories/GHSA-w2h8-8x3g-278p"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49762.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49762"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-lang/elixir/commit/c64417d72fd5c7d09e963ca3ac5fa2b140978d9e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded integer parsing in the Version module enables CPU and memory exhaustion denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49762",
"datePublished": "2026-06-09T14:04:07.405Z",
"dateReserved": "2026-06-01T13:45:22.449Z",
"dateUpdated": "2026-06-10T04:43:08.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52858 (GCVE-0-2026-52858)
Vulnerability from cvelistv5 – Published: 2026-06-11 18:32 – Updated: 2026-06-12 12:48
VLAI
EPSS
Title
Vim: Arbitrary Code Execution via Python Omni-Completion
Summary
Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/vim/vim/security/advisories/GH… | x_refsource_CONFIRM |
| https://github.com/vim/vim/commit/4b850457e12e1a6… | x_refsource_MISC |
| https://github.com/vim/vim/releases/tag/v9.2.0561 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-52858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T03:55:43.719621Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:48:03.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vim",
"vendor": "vim",
"versions": [
{
"status": "affected",
"version": "\u003c 9.2.0561"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python\u0027s import machinery. Because the buffer\u0027s working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package\u0027s top-level code as the editing user. This issue has been patched in version 9.2.0561."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:32:32.722Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c"
},
{
"name": "https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d"
},
{
"name": "https://github.com/vim/vim/releases/tag/v9.2.0561",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/releases/tag/v9.2.0561"
}
],
"source": {
"advisory": "GHSA-52mc-rq6p-rc7c",
"discovery": "UNKNOWN"
},
"title": "Vim: Arbitrary Code Execution via Python Omni-Completion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52858",
"datePublished": "2026-06-11T18:32:32.722Z",
"dateReserved": "2026-06-08T18:41:27.724Z",
"dateUpdated": "2026-06-12T12:48:03.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52859 (GCVE-0-2026-52859)
Vulnerability from cvelistv5 – Published: 2026-06-11 18:33 – Updated: 2026-06-11 19:38
VLAI
EPSS
Title
Vim: Out-of-bounds Read in Terminal Screen Snapshot
Summary
Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/vim/vim/security/advisories/GH… | x_refsource_CONFIRM |
| https://github.com/vim/vim/commit/63680c6d3d52477… | x_refsource_MISC |
| https://github.com/vim/vim/releases/tag/v9.2.0565 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-52859",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T19:35:19.075882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T19:38:46.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vim",
"vendor": "vim",
"versions": [
{
"status": "affected",
"version": "\u003c 9.2.0565"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell\u0027s chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots \u2014 a base character plus five combining marks \u2014 the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:33:09.886Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vim/vim/security/advisories/GHSA-47gw-8gc3-mgcm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vim/vim/security/advisories/GHSA-47gw-8gc3-mgcm"
},
{
"name": "https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19"
},
{
"name": "https://github.com/vim/vim/releases/tag/v9.2.0565",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/releases/tag/v9.2.0565"
}
],
"source": {
"advisory": "GHSA-47gw-8gc3-mgcm",
"discovery": "UNKNOWN"
},
"title": "Vim: Out-of-bounds Read in Terminal Screen Snapshot"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52859",
"datePublished": "2026-06-11T18:33:09.886Z",
"dateReserved": "2026-06-08T18:41:27.725Z",
"dateUpdated": "2026-06-11T19:38:46.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…