Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-55892 (GCVE-0-2026-55892)
Vulnerability from cvelistv5 – Published: 2026-06-25 15:32 – Updated: 2026-06-26 18:43- CWE-787 - Out-of-bounds Write
| URL | Tags |
|---|---|
| https://github.com/vim/vim/security/advisories/GH… | x_refsource_CONFIRM |
| https://github.com/vim/vim/commit/8325b193bba5f01… | x_refsource_MISC |
| https://github.com/vim/vim/releases/tag/v9.2.0662 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:50:52.811086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:43:09.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vim",
"vendor": "vim",
"versions": [
{
"status": "affected",
"version": "\u003c 9.2.0662"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T15:32:41.238Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h"
},
{
"name": "https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f"
},
{
"name": "https://github.com/vim/vim/releases/tag/v9.2.0662",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/releases/tag/v9.2.0662"
}
],
"source": {
"advisory": "GHSA-qm9w-fmpj-879h",
"discovery": "UNKNOWN"
},
"title": "Vim: Out-of-bounds Write in Spell File Prefix Dump"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55892",
"datePublished": "2026-06-25T15:32:41.238Z",
"dateReserved": "2026-06-17T16:59:42.760Z",
"dateUpdated": "2026-06-26T18:43:09.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-55892",
"date": "2026-07-14",
"epss": "0.00122",
"percentile": "0.02325"
},
"microsoft_vex": {
"current_release_date": "2026-06-30T15:40:19.000Z",
"cve": "CVE-2026-55892",
"id": "msrc_CVE-2026-55892",
"initial_release_date": "2026-06-02T00:00:00.000Z",
"product_status:fixed": "1",
"product_status:known_affected": "2",
"source": "Microsoft CSAF VEX",
"status": "final",
"title": "Vim: Out-of-bounds Write in Spell File Prefix Dump",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-55892.json",
"version": "3"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-55892\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-25T16:16:40.690\",\"lastModified\":\"2026-06-26T19:16:44.667\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"vim\",\"product\":\"vim\",\"versions\":[{\"version\":\"\u003c 9.2.0662\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-26T17:50:52.811086Z\",\"id\":\"CVE-2026-55892\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.2.0662\",\"matchCriteriaId\":\"9A5ABC9A-9AEE-44B9-90EC-18E81C622DEE\"}]}]}],\"references\":[{\"url\":\"https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vim/vim/releases/tag/v9.2.0662\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Moderate",
"current_release_date": "2026-07-07T18:58:06+00:00",
"cve": "CVE-2026-55892",
"id": "CVE-2026-55892",
"initial_release_date": "2026-06-25T15:32:41.238000+00:00",
"product_status:fixed": "4",
"product_status:known_affected": "33",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "vim: Vim: Denial of Service via crafted spell file",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-55892.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-55892\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-26T17:50:52.811086Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-26T17:50:54.305Z\"}}], \"cna\": {\"title\": \"Vim: Out-of-bounds Write in Spell File Prefix Dump\", \"source\": {\"advisory\": \"GHSA-qm9w-fmpj-879h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"vim\", \"product\": \"vim\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 9.2.0662\"}]}], \"references\": [{\"url\": \"https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h\", \"name\": \"https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f\", \"name\": \"https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vim/vim/releases/tag/v9.2.0662\", \"name\": \"https://github.com/vim/vim/releases/tag/v9.2.0662\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787: Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-25T15:32:41.238Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-55892\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-26T18:43:09.878Z\", \"dateReserved\": \"2026-06-17T16:59:42.760Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-25T15:32:41.238Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-55892
Vulnerability from fkie_nvd - Published: 2026-06-25 16:16 - Updated: 2026-06-26 19:16{
"affected": [
{
"affectedData": [
{
"product": "vim",
"vendor": "vim",
"versions": [
{
"status": "affected",
"version": "\u003c 9.2.0662"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A5ABC9A-9AEE-44B9-90EC-18E81C622DEE",
"versionEndExcluding": "9.2.0662",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662."
}
],
"id": "CVE-2026-55892",
"lastModified": "2026-06-26T19:16:44.667",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-55892",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:50:52.811086Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-25T16:16:40.690",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/vim/vim/releases/tag/v9.2.0662"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
MSRC_CVE-2026-55892
Vulnerability from csaf_microsoft - Published: 2026-06-02 00:00 - Updated: 2026-06-30 15:40| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 21488-17084 | — |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-2 | — |
None Available
|
|
| Unresolved product id: 17084-1 | — |
Vendor Fix
fix
|
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2026/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2026/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2026-55892 Vim: Out-of-bounds Write in Spell File Prefix Dump - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-55892.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Vim: Out-of-bounds Write in Spell File Prefix Dump",
"tracking": {
"current_release_date": "2026-06-30T15:40:19.000Z",
"generator": {
"date": "2026-07-01T07:19:52.255Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2026-55892",
"initial_release_date": "2026-06-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-06-27T01:18:31.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-06-28T01:54:30.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
},
{
"date": "2026-06-30T15:40:19.000Z",
"legacy_version": "3",
"number": "3",
"summary": "Information published."
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "azl3 vim 0:9.2.0488-1.azl3",
"product": {
"name": "azl3 vim 0:9.2.0488-1.azl3",
"product_id": "2"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 vim 0:9.2.0620-1.azl3",
"product": {
"name": "\u003cazl3 vim 0:9.2.0620-1.azl3",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "azl3 vim 0:9.2.0620-1.azl3",
"product": {
"name": "azl3 vim 0:9.2.0620-1.azl3",
"product_id": "21488"
}
}
],
"category": "product_name",
"name": "vim"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 vim 0:9.2.0488-1.azl3 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 vim 0:9.2.0620-1.azl3 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 vim 0:9.2.0620-1.azl3 as a component of Azure Linux 3.0",
"product_id": "21488-17084"
},
"product_reference": "21488",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-55892",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"21488-17084"
],
"known_affected": [
"17084-2",
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-55892 Vim: Out-of-bounds Write in Spell File Prefix Dump - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-55892.json"
}
],
"remediations": [
{
"category": "none_available",
"date": "2026-06-27T01:18:31.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17084-2"
]
},
{
"category": "vendor_fix",
"date": "2026-06-27T01:18:31.000Z",
"details": "0:9.2.0735-1.azl3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"17084-2",
"17084-1"
]
}
],
"title": "Vim: Out-of-bounds Write in Spell File Prefix Dump"
}
]
}
RHSA-2026:35387
Vulnerability from csaf_redhat - Published: 2026-07-03 09:43 - Updated: 2026-07-14 11:35A flaw was found in Vim, an open-source command-line text editor. A remote attacker could exploit this vulnerability by convincing a user to load a specially crafted spell file. This malicious file can trigger a stack out-of-bounds write, which corrupts the editor's memory and causes it to crash. This leads to a Denial of Service (DoS), making the editor unavailable to the user.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:vim-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
There is a security flaw in Vim. If you use Vim to open a malicious file written by a hacker, and you use the auto-complete feature while typing, the file can secretly force your computer to run unauthorized commands or malware.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:vim-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Vim, an open-source command-line text editor. The PHP omni-completion script improperly handles specially crafted input. When a victim opens a malicious PHP file and invokes omni-completion, an unescaped class or trait name can be interpreted as Ex commands. This allows a remote attacker to achieve arbitrary operating-system command execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:vim-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
An out-of-bounds write vulnerability in Vim's spell_soundfold_sal() function allows an attacker to corrupt memory and crash the editor (Denial of Service) by supplying a specially crafted word during spell sound-folding.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:vim-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A command injection vulnerability in Vim's C omni-completion script allows an attacker to execute arbitrary commands if a user is tricked into opening a maliciously crafted tags file and manually invoking the autocomplete feature.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:vim-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:vim-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nvim:\n * vim-X11-9.2.780-1.hum1 (aarch64, x86_64)\n * vim-common-9.2.780-1.hum1 (aarch64, x86_64)\n * vim-data-9.2.780-1.hum1 (noarch)\n * vim-default-editor-9.2.780-1.hum1 (noarch)\n * vim-enhanced-9.2.780-1.hum1 (aarch64, x86_64)\n * vim-filesystem-9.2.780-1.hum1 (noarch)\n * vim-minimal-9.2.780-1.hum1 (aarch64, x86_64)\n * xxd-9.2.780-1.hum1 (aarch64, x86_64)\n * vim-9.2.780-1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:35387",
"url": "https://access.redhat.com/errata/RHSA-2026:35387"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-57456",
"url": "https://access.redhat.com/security/cve/CVE-2026-57456"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55892",
"url": "https://access.redhat.com/security/cve/CVE-2026-55892"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59856",
"url": "https://access.redhat.com/security/cve/CVE-2026-59856"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59858",
"url": "https://access.redhat.com/security/cve/CVE-2026-59858"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59857",
"url": "https://access.redhat.com/security/cve/CVE-2026-59857"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_35387.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-07-14T11:35:28+00:00",
"generator": {
"date": "2026-07-14T11:35:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:35387",
"initial_release_date": "2026-07-03T09:43:18+00:00",
"revision_history": [
{
"date": "2026-07-03T09:43:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-10T18:19:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-14T11:35:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "vim-main@src",
"product": {
"name": "vim-main@src",
"product_id": "vim-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vim@9.2.780-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "vim-main@aarch64",
"product": {
"name": "vim-main@aarch64",
"product_id": "vim-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vim-X11@9.2.780-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "vim-main@x86_64",
"product": {
"name": "vim-main@x86_64",
"product_id": "vim-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vim-X11@9.2.780-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "vim-main@noarch",
"product": {
"name": "vim-main@noarch",
"product_id": "vim-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vim-data@9.2.780-1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:vim-main@aarch64"
},
"product_reference": "vim-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:vim-main@noarch"
},
"product_reference": "vim-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:vim-main@src"
},
"product_reference": "vim-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:vim-main@x86_64"
},
"product_reference": "vim-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-55892",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2026-06-25T16:01:52.997166+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2492975"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Vim, an open-source command-line text editor. A remote attacker could exploit this vulnerability by convincing a user to load a specially crafted spell file. This malicious file can trigger a stack out-of-bounds write, which corrupts the editor\u0027s memory and causes it to crash. This leads to a Denial of Service (DoS), making the editor unavailable to the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vim: Vim: Denial of Service via crafted spell file",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Vim\u0027s spell file handling. The dump_prefixes() function in src/spell.c does not validate the depth of the prefix trie against the size of fixed-size stack arrays, allowing a crafted .spl file to cause a stack out-of-bounds write and crash. Red Hat ships Vim in all RHEL versions and OpenShift CoreOS. Exploitation requires a user to load a malicious spell file and run :spelldump or spelling completion.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-55892"
},
{
"category": "external",
"summary": "RHBZ#2492975",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492975"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-55892",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55892"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-55892",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55892"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f",
"url": "https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/releases/tag/v9.2.0662",
"url": "https://github.com/vim/vim/releases/tag/v9.2.0662"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h",
"url": "https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h"
}
],
"release_date": "2026-06-25T15:32:41.238000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-03T09:43:18+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35387"
},
{
"category": "workaround",
"details": "Do not load untrusted spell files (.spl) from unknown sources. Avoid using :spelldump with spell files of unknown provenance.",
"product_ids": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vim: Vim: Denial of Service via crafted spell file"
},
{
"cve": "CVE-2026-57456",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2026-06-25T16:01:37.648886+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2492972"
}
],
"notes": [
{
"category": "description",
"text": "There is a security flaw in Vim. If you use Vim to open a malicious file written by a hacker, and you use the auto-complete feature while typing, the file can secretly force your computer to run unauthorized commands or malware.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vim: Vim: Arbitrary code execution via malicious docstrings in Python omni-completion",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as Important. A vulnerability in Vim\u0027s Python omni-completion feature allows for arbitrary code execution. By opening a specially crafted file, a local attacker could execute arbitrary Python code due to improper handling of docstrings during omni-completion, leading to a compromise of the system where Vim is running.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-57456"
},
{
"category": "external",
"summary": "RHBZ#2492972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-57456",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-57456"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-57456",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57456"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/commit/cce141c42740f122dd8486ae04e21c2a81016ba8",
"url": "https://github.com/vim/vim/commit/cce141c42740f122dd8486ae04e21c2a81016ba8"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/releases/tag/v9.2.0699",
"url": "https://github.com/vim/vim/releases/tag/v9.2.0699"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/security/advisories/GHSA-ppj8-wqjf-6fp3",
"url": "https://github.com/vim/vim/security/advisories/GHSA-ppj8-wqjf-6fp3"
}
],
"release_date": "2026-06-25T15:16:16.015000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-03T09:43:18+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35387"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, users should avoid opening untrusted Python files or using Python omni-completion on such files. If Python omni-completion is not required, it can be disabled by adding `autocmd FileType python setlocal omnifunc=` to your `.vimrc` file. This will prevent the vulnerable code from being executed. Disabling Python omni-completion will remove the ability to use `Ctrl-X Ctrl-O` for Python code completion. A restart of Vim is required for the changes to take effect.",
"product_ids": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "vim: Vim: Arbitrary code execution via malicious docstrings in Python omni-completion"
},
{
"cve": "CVE-2026-59856",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2026-07-09T23:01:40.406872+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2498867"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Vim, an open-source command-line text editor. The PHP omni-completion script improperly handles specially crafted input. When a victim opens a malicious PHP file and invokes omni-completion, an unescaped class or trait name can be interpreted as Ex commands. This allows a remote attacker to achieve arbitrary operating-system command execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vim: Vim: Arbitrary code execution via crafted PHP file in omni-completion",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Product Security has rated this vulnerability as having a Moderate impact. While successful exploitation allows for arbitrary operating-system command execution when a user opens a crafted PHP file and triggers omni-completion, this feature is disabled by default in Red Hat products. The requirement for a non-default configuration, combined with mandatory user interaction, significantly reduces the real-world risk.\"",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-59856"
},
{
"category": "external",
"summary": "RHBZ#2498867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2498867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-59856",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-59856"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-59856",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59856"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/commit/43afc581a37a35762dd0ef292f038b9dc5680a24",
"url": "https://github.com/vim/vim/commit/43afc581a37a35762dd0ef292f038b9dc5680a24"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/security/advisories/GHSA-fh26-8f79-wj97",
"url": "https://github.com/vim/vim/security/advisories/GHSA-fh26-8f79-wj97"
}
],
"release_date": "2026-07-09T22:39:01.803000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-03T09:43:18+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35387"
},
{
"category": "workaround",
"details": "Users should exercise caution when opening untrusted PHP files and avoid invoking omni-completion on them. To prevent exploitation, the PHP omni-completion script can be disabled by moving or renaming `phpcomplete.vim`. For example, execute `mv /usr/share/vim/vim*/autoload/phpcomplete.vim /usr/share/vim/vim*/autoload/phpcomplete.vim.bak`. This action will disable PHP omni-completion functionality. A restart of Vim is necessary for this change to take effect.",
"product_ids": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vim: Vim: Arbitrary code execution via crafted PHP file in omni-completion"
},
{
"cve": "CVE-2026-59857",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2026-07-09T23:01:27.257331+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2498863"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds write vulnerability in Vim\u0027s spell_soundfold_sal() function allows an attacker to corrupt memory and crash the editor (Denial of Service) by supplying a specially crafted word during spell sound-folding.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vim: Vim: Denial of Service via out-of-bounds write in spell sound-folding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Vim\u0027s spell sound-folding feature can lead to a denial of service. A local attacker could provide a specially crafted word, causing an out-of-bounds write and crashing the editor. This vulnerability primarily affects interactive users of the Vim text editor.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-59857"
},
{
"category": "external",
"summary": "RHBZ#2498863",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2498863"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-59857",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-59857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-59857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59857"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/commit/d22ff1c955ff87e8273210eae125aab0e85b6c30",
"url": "https://github.com/vim/vim/commit/d22ff1c955ff87e8273210eae125aab0e85b6c30"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/security/advisories/GHSA-m3hf-xcm3-xhm2",
"url": "https://github.com/vim/vim/security/advisories/GHSA-m3hf-xcm3-xhm2"
}
],
"release_date": "2026-07-09T22:34:54.698000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-03T09:43:18+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35387"
},
{
"category": "workaround",
"details": "This vulnerability can be mitigated by preventing Vim from automatically applying editor configurations embedded in files.\nAdd the following line to the global /etc/vimrc or local ~/.vimrc configuration file:\nset nomodeline",
"product_ids": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vim: Vim: Denial of Service via out-of-bounds write in spell sound-folding"
},
{
"cve": "CVE-2026-59858",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2026-07-09T23:01:43.278752+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2498868"
}
],
"notes": [
{
"category": "description",
"text": "A command injection vulnerability in Vim\u0027s C omni-completion script allows an attacker to execute arbitrary commands if a user is tricked into opening a maliciously crafted tags file and manually invoking the autocomplete feature.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vim: Vim: Arbitrary command execution via crafted tags file in C omni-completion",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate flaw in Vim\u0027s C omni-completion script allows for arbitrary command execution. Exploitation requires a user to open a specially crafted C source file along with a malicious project tags file and then invoke C omni-completion. This limits the attack vector as it relies on specific user interaction and the presence of a hostile tags file, making it less likely to be exploited without user awareness.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-59858"
},
{
"category": "external",
"summary": "RHBZ#2498868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2498868"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-59858",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-59858"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-59858",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59858"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/commit/6b611b0d15603c52ebdad17172b0232b4f65704e",
"url": "https://github.com/vim/vim/commit/6b611b0d15603c52ebdad17172b0232b4f65704e"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/security/advisories/GHSA-mf92-v4xw-j45x",
"url": "https://github.com/vim/vim/security/advisories/GHSA-mf92-v4xw-j45x"
}
],
"release_date": "2026-07-09T22:37:52.789000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-03T09:43:18+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35387"
},
{
"category": "workaround",
"details": "Users are advised to avoid opening untrusted C source files or project tags files in Vim. Exercising caution and only processing trusted content prevents exploitation.",
"product_ids": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:vim-main@aarch64",
"Red Hat Hardened Images:vim-main@noarch",
"Red Hat Hardened Images:vim-main@src",
"Red Hat Hardened Images:vim-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vim: Vim: Arbitrary command execution via crafted tags file in C omni-completion"
}
]
}
ubuntu-cve-2026-55892
Vulnerability from osv_ubuntu
Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "vim",
"binary_version": "2:7.4.052-1ubuntu3.1+esm30"
},
{
"binary_name": "vim-athena",
"binary_version": "2:7.4.052-1ubuntu3.1+esm30"
},
{
"binary_name": "vim-common",
"binary_version": "2:7.4.052-1ubuntu3.1+esm30"
},
{
"binary_name": "vim-gnome",
"binary_version": "2:7.4.052-1ubuntu3.1+esm30"
},
{
"binary_name": "vim-gtk",
"binary_version": "2:7.4.052-1ubuntu3.1+esm30"
},
{
"binary_name": "vim-gui-common",
"binary_version": "2:7.4.052-1ubuntu3.1+esm30"
},
{
"binary_name": "vim-lesstif",
"binary_version": "2:7.4.052-1ubuntu3.1+esm30"
},
{
"binary_name": "vim-nox",
"binary_version": "2:7.4.052-1ubuntu3.1+esm30"
},
{
"binary_name": "vim-runtime",
"binary_version": "2:7.4.052-1ubuntu3.1+esm30"
},
{
"binary_name": "vim-tiny",
"binary_version": "2:7.4.052-1ubuntu3.1+esm30"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "vim",
"purl": "pkg:deb/ubuntu/vim@2:7.4.052-1ubuntu3.1+esm30?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:7.4.052-1ubuntu3.1+esm30"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:7.4.000-1ubuntu2",
"2:7.4.052-1ubuntu1",
"2:7.4.052-1ubuntu2",
"2:7.4.052-1ubuntu3",
"2:7.4.052-1ubuntu3.1",
"2:7.4.052-1ubuntu3.1+esm1",
"2:7.4.052-1ubuntu3.1+esm3",
"2:7.4.052-1ubuntu3.1+esm4",
"2:7.4.052-1ubuntu3.1+esm5",
"2:7.4.052-1ubuntu3.1+esm6",
"2:7.4.052-1ubuntu3.1+esm7",
"2:7.4.052-1ubuntu3.1+esm8",
"2:7.4.052-1ubuntu3.1+esm9",
"2:7.4.052-1ubuntu3.1+esm10",
"2:7.4.052-1ubuntu3.1+esm11",
"2:7.4.052-1ubuntu3.1+esm12",
"2:7.4.052-1ubuntu3.1+esm13",
"2:7.4.052-1ubuntu3.1+esm14",
"2:7.4.052-1ubuntu3.1+esm15",
"2:7.4.052-1ubuntu3.1+esm16",
"2:7.4.052-1ubuntu3.1+esm17",
"2:7.4.052-1ubuntu3.1+esm18",
"2:7.4.052-1ubuntu3.1+esm19",
"2:7.4.052-1ubuntu3.1+esm20",
"2:7.4.052-1ubuntu3.1+esm21",
"2:7.4.052-1ubuntu3.1+esm22",
"2:7.4.052-1ubuntu3.1+esm23",
"2:7.4.052-1ubuntu3.1+esm24",
"2:7.4.052-1ubuntu3.1+esm25",
"2:7.4.052-1ubuntu3.1+esm26",
"2:7.4.052-1ubuntu3.1+esm27",
"2:7.4.052-1ubuntu3.1+esm28",
"2:7.4.052-1ubuntu3.1+esm29"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "vim",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-athena",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-athena-py2",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-common",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-gnome",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-gnome-py2",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-gtk",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-gtk-py2",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-gtk3",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-gtk3-py2",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-gui-common",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-nox",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-nox-py2",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-runtime",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
},
{
"binary_name": "vim-tiny",
"binary_version": "2:7.4.1689-3ubuntu1.5+esm36"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "vim",
"purl": "pkg:deb/ubuntu/vim@2:7.4.1689-3ubuntu1.5+esm36?arch=source\u0026distro=esm-infra-legacy/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:7.4.1689-3ubuntu1.5+esm36"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:7.4.712-2ubuntu4",
"2:7.4.826-1ubuntu1",
"2:7.4.826-1ubuntu2",
"2:7.4.826-1ubuntu3",
"2:7.4.963-1ubuntu1",
"2:7.4.963-1ubuntu4",
"2:7.4.963-1ubuntu5",
"2:7.4.1689-3ubuntu1",
"2:7.4.1689-3ubuntu1.1",
"2:7.4.1689-3ubuntu1.2",
"2:7.4.1689-3ubuntu1.3",
"2:7.4.1689-3ubuntu1.4",
"2:7.4.1689-3ubuntu1.5",
"2:7.4.1689-3ubuntu1.5+esm2",
"2:7.4.1689-3ubuntu1.5+esm3",
"2:7.4.1689-3ubuntu1.5+esm4",
"2:7.4.1689-3ubuntu1.5+esm5",
"2:7.4.1689-3ubuntu1.5+esm6",
"2:7.4.1689-3ubuntu1.5+esm7",
"2:7.4.1689-3ubuntu1.5+esm8",
"2:7.4.1689-3ubuntu1.5+esm10",
"2:7.4.1689-3ubuntu1.5+esm11",
"2:7.4.1689-3ubuntu1.5+esm12",
"2:7.4.1689-3ubuntu1.5+esm13",
"2:7.4.1689-3ubuntu1.5+esm14",
"2:7.4.1689-3ubuntu1.5+esm15",
"2:7.4.1689-3ubuntu1.5+esm17",
"2:7.4.1689-3ubuntu1.5+esm18",
"2:7.4.1689-3ubuntu1.5+esm19",
"2:7.4.1689-3ubuntu1.5+esm20",
"2:7.4.1689-3ubuntu1.5+esm22",
"2:7.4.1689-3ubuntu1.5+esm23",
"2:7.4.1689-3ubuntu1.5+esm24",
"2:7.4.1689-3ubuntu1.5+esm25",
"2:7.4.1689-3ubuntu1.5+esm26",
"2:7.4.1689-3ubuntu1.5+esm27",
"2:7.4.1689-3ubuntu1.5+esm28",
"2:7.4.1689-3ubuntu1.5+esm29",
"2:7.4.1689-3ubuntu1.5+esm30",
"2:7.4.1689-3ubuntu1.5+esm31",
"2:7.4.1689-3ubuntu1.5+esm32",
"2:7.4.1689-3ubuntu1.5+esm33",
"2:7.4.1689-3ubuntu1.5+esm34",
"2:7.4.1689-3ubuntu1.5+esm35"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "vim",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
},
{
"binary_name": "vim-athena",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
},
{
"binary_name": "vim-common",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
},
{
"binary_name": "vim-gnome",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
},
{
"binary_name": "vim-gtk",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
},
{
"binary_name": "vim-gtk3",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
},
{
"binary_name": "vim-gui-common",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
},
{
"binary_name": "vim-nox",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
},
{
"binary_name": "vim-runtime",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
},
{
"binary_name": "vim-tiny",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
},
{
"binary_name": "xxd",
"binary_version": "2:8.0.1453-1ubuntu1.13+esm21"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "vim",
"purl": "pkg:deb/ubuntu/vim@2:8.0.1453-1ubuntu1.13+esm21?arch=source\u0026distro=esm-infra/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:8.0.1453-1ubuntu1.13+esm21"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:8.0.0197-4ubuntu5",
"2:8.0.1144-1ubuntu1",
"2:8.0.1401-1ubuntu1",
"2:8.0.1401-1ubuntu2",
"2:8.0.1401-1ubuntu3",
"2:8.0.1453-1ubuntu1",
"2:8.0.1453-1ubuntu1.1",
"2:8.0.1453-1ubuntu1.3",
"2:8.0.1453-1ubuntu1.4",
"2:8.0.1453-1ubuntu1.6",
"2:8.0.1453-1ubuntu1.7",
"2:8.0.1453-1ubuntu1.8",
"2:8.0.1453-1ubuntu1.9",
"2:8.0.1453-1ubuntu1.10",
"2:8.0.1453-1ubuntu1.11",
"2:8.0.1453-1ubuntu1.12",
"2:8.0.1453-1ubuntu1.13",
"2:8.0.1453-1ubuntu1.13+esm1",
"2:8.0.1453-1ubuntu1.13+esm3",
"2:8.0.1453-1ubuntu1.13+esm4",
"2:8.0.1453-1ubuntu1.13+esm5",
"2:8.0.1453-1ubuntu1.13+esm6",
"2:8.0.1453-1ubuntu1.13+esm7",
"2:8.0.1453-1ubuntu1.13+esm8",
"2:8.0.1453-1ubuntu1.13+esm9",
"2:8.0.1453-1ubuntu1.13+esm10",
"2:8.0.1453-1ubuntu1.13+esm11",
"2:8.0.1453-1ubuntu1.13+esm12",
"2:8.0.1453-1ubuntu1.13+esm13",
"2:8.0.1453-1ubuntu1.13+esm14",
"2:8.0.1453-1ubuntu1.13+esm15",
"2:8.0.1453-1ubuntu1.13+esm16",
"2:8.0.1453-1ubuntu1.13+esm17",
"2:8.0.1453-1ubuntu1.13+esm18",
"2:8.0.1453-1ubuntu1.13+esm19",
"2:8.0.1453-1ubuntu1.13+esm20"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "vim",
"binary_version": "2:8.1.2269-1ubuntu5.32+esm9"
},
{
"binary_name": "vim-athena",
"binary_version": "2:8.1.2269-1ubuntu5.32+esm9"
},
{
"binary_name": "vim-common",
"binary_version": "2:8.1.2269-1ubuntu5.32+esm9"
},
{
"binary_name": "vim-gtk",
"binary_version": "2:8.1.2269-1ubuntu5.32+esm9"
},
{
"binary_name": "vim-gtk3",
"binary_version": "2:8.1.2269-1ubuntu5.32+esm9"
},
{
"binary_name": "vim-gui-common",
"binary_version": "2:8.1.2269-1ubuntu5.32+esm9"
},
{
"binary_name": "vim-nox",
"binary_version": "2:8.1.2269-1ubuntu5.32+esm9"
},
{
"binary_name": "vim-runtime",
"binary_version": "2:8.1.2269-1ubuntu5.32+esm9"
},
{
"binary_name": "vim-tiny",
"binary_version": "2:8.1.2269-1ubuntu5.32+esm9"
},
{
"binary_name": "xxd",
"binary_version": "2:8.1.2269-1ubuntu5.32+esm9"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "vim",
"purl": "pkg:deb/ubuntu/vim@2:8.1.2269-1ubuntu5.32+esm9?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:8.1.2269-1ubuntu5.32+esm9"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:8.1.0875-5ubuntu2",
"2:8.1.0875-5ubuntu3",
"2:8.1.0875-5ubuntu4",
"2:8.1.2269-1ubuntu1",
"2:8.1.2269-1ubuntu4",
"2:8.1.2269-1ubuntu5",
"2:8.1.2269-1ubuntu5.3",
"2:8.1.2269-1ubuntu5.4",
"2:8.1.2269-1ubuntu5.6",
"2:8.1.2269-1ubuntu5.7",
"2:8.1.2269-1ubuntu5.8",
"2:8.1.2269-1ubuntu5.9",
"2:8.1.2269-1ubuntu5.11",
"2:8.1.2269-1ubuntu5.12",
"2:8.1.2269-1ubuntu5.13",
"2:8.1.2269-1ubuntu5.14",
"2:8.1.2269-1ubuntu5.15",
"2:8.1.2269-1ubuntu5.16",
"2:8.1.2269-1ubuntu5.17",
"2:8.1.2269-1ubuntu5.18",
"2:8.1.2269-1ubuntu5.20",
"2:8.1.2269-1ubuntu5.21",
"2:8.1.2269-1ubuntu5.22",
"2:8.1.2269-1ubuntu5.23",
"2:8.1.2269-1ubuntu5.24",
"2:8.1.2269-1ubuntu5.25",
"2:8.1.2269-1ubuntu5.26",
"2:8.1.2269-1ubuntu5.29",
"2:8.1.2269-1ubuntu5.30",
"2:8.1.2269-1ubuntu5.31",
"2:8.1.2269-1ubuntu5.32",
"2:8.1.2269-1ubuntu5.32+esm2",
"2:8.1.2269-1ubuntu5.32+esm3",
"2:8.1.2269-1ubuntu5.32+esm4",
"2:8.1.2269-1ubuntu5.32+esm5",
"2:8.1.2269-1ubuntu5.32+esm6",
"2:8.1.2269-1ubuntu5.32+esm7",
"2:8.1.2269-1ubuntu5.32+esm8"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "vim",
"binary_version": "2:8.2.3995-1ubuntu2.33"
},
{
"binary_name": "vim-athena",
"binary_version": "2:8.2.3995-1ubuntu2.33"
},
{
"binary_name": "vim-common",
"binary_version": "2:8.2.3995-1ubuntu2.33"
},
{
"binary_name": "vim-gtk",
"binary_version": "2:8.2.3995-1ubuntu2.33"
},
{
"binary_name": "vim-gtk3",
"binary_version": "2:8.2.3995-1ubuntu2.33"
},
{
"binary_name": "vim-gui-common",
"binary_version": "2:8.2.3995-1ubuntu2.33"
},
{
"binary_name": "vim-nox",
"binary_version": "2:8.2.3995-1ubuntu2.33"
},
{
"binary_name": "vim-runtime",
"binary_version": "2:8.2.3995-1ubuntu2.33"
},
{
"binary_name": "vim-tiny",
"binary_version": "2:8.2.3995-1ubuntu2.33"
},
{
"binary_name": "xxd",
"binary_version": "2:8.2.3995-1ubuntu2.33"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "vim",
"purl": "pkg:deb/ubuntu/vim@2:8.2.3995-1ubuntu2.33?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:8.2.3995-1ubuntu2.33"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:8.2.2434-3ubuntu3",
"2:8.2.2434-3ubuntu4",
"2:8.2.3565-1ubuntu1",
"2:8.2.3565-1ubuntu2",
"2:8.2.3565-1ubuntu3",
"2:8.2.3565-1ubuntu5",
"2:8.2.3995-1ubuntu1",
"2:8.2.3995-1ubuntu2",
"2:8.2.3995-1ubuntu2.1",
"2:8.2.3995-1ubuntu2.3",
"2:8.2.3995-1ubuntu2.4",
"2:8.2.3995-1ubuntu2.5",
"2:8.2.3995-1ubuntu2.7",
"2:8.2.3995-1ubuntu2.8",
"2:8.2.3995-1ubuntu2.9",
"2:8.2.3995-1ubuntu2.10",
"2:8.2.3995-1ubuntu2.11",
"2:8.2.3995-1ubuntu2.12",
"2:8.2.3995-1ubuntu2.13",
"2:8.2.3995-1ubuntu2.15",
"2:8.2.3995-1ubuntu2.16",
"2:8.2.3995-1ubuntu2.17",
"2:8.2.3995-1ubuntu2.18",
"2:8.2.3995-1ubuntu2.19",
"2:8.2.3995-1ubuntu2.20",
"2:8.2.3995-1ubuntu2.21",
"2:8.2.3995-1ubuntu2.22",
"2:8.2.3995-1ubuntu2.23",
"2:8.2.3995-1ubuntu2.24",
"2:8.2.3995-1ubuntu2.26",
"2:8.2.3995-1ubuntu2.27",
"2:8.2.3995-1ubuntu2.28",
"2:8.2.3995-1ubuntu2.29",
"2:8.2.3995-1ubuntu2.30",
"2:8.2.3995-1ubuntu2.31",
"2:8.2.3995-1ubuntu2.32"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "vim",
"binary_version": "2:9.1.0016-1ubuntu7.17"
},
{
"binary_name": "vim-athena",
"binary_version": "2:9.1.0016-1ubuntu7.17"
},
{
"binary_name": "vim-common",
"binary_version": "2:9.1.0016-1ubuntu7.17"
},
{
"binary_name": "vim-gtk3",
"binary_version": "2:9.1.0016-1ubuntu7.17"
},
{
"binary_name": "vim-gui-common",
"binary_version": "2:9.1.0016-1ubuntu7.17"
},
{
"binary_name": "vim-motif",
"binary_version": "2:9.1.0016-1ubuntu7.17"
},
{
"binary_name": "vim-nox",
"binary_version": "2:9.1.0016-1ubuntu7.17"
},
{
"binary_name": "vim-runtime",
"binary_version": "2:9.1.0016-1ubuntu7.17"
},
{
"binary_name": "vim-tiny",
"binary_version": "2:9.1.0016-1ubuntu7.17"
},
{
"binary_name": "xxd",
"binary_version": "2:9.1.0016-1ubuntu7.17"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "vim",
"purl": "pkg:deb/ubuntu/vim@2:9.1.0016-1ubuntu7.17?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:9.1.0016-1ubuntu7.17"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:9.0.1672-1ubuntu2",
"2:9.0.2087-1ubuntu1",
"2:9.0.2116-1ubuntu1",
"2:9.0.2116-1ubuntu2",
"2:9.0.2184-0ubuntu1",
"2:9.0.2189-1ubuntu1",
"2:9.1.0-1ubuntu1",
"2:9.1.0016-1ubuntu2",
"2:9.1.0016-1ubuntu6",
"2:9.1.0016-1ubuntu7",
"2:9.1.0016-1ubuntu7.1",
"2:9.1.0016-1ubuntu7.2",
"2:9.1.0016-1ubuntu7.3",
"2:9.1.0016-1ubuntu7.4",
"2:9.1.0016-1ubuntu7.5",
"2:9.1.0016-1ubuntu7.6",
"2:9.1.0016-1ubuntu7.7",
"2:9.1.0016-1ubuntu7.8",
"2:9.1.0016-1ubuntu7.9",
"2:9.1.0016-1ubuntu7.10",
"2:9.1.0016-1ubuntu7.11",
"2:9.1.0016-1ubuntu7.12",
"2:9.1.0016-1ubuntu7.13",
"2:9.1.0016-1ubuntu7.14",
"2:9.1.0016-1ubuntu7.15",
"2:9.1.0016-1ubuntu7.16"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "vim",
"binary_version": "2:9.1.0967-1ubuntu6.8"
},
{
"binary_name": "vim-athena",
"binary_version": "2:9.1.0967-1ubuntu6.8"
},
{
"binary_name": "vim-common",
"binary_version": "2:9.1.0967-1ubuntu6.8"
},
{
"binary_name": "vim-gtk3",
"binary_version": "2:9.1.0967-1ubuntu6.8"
},
{
"binary_name": "vim-gui-common",
"binary_version": "2:9.1.0967-1ubuntu6.8"
},
{
"binary_name": "vim-motif",
"binary_version": "2:9.1.0967-1ubuntu6.8"
},
{
"binary_name": "vim-nox",
"binary_version": "2:9.1.0967-1ubuntu6.8"
},
{
"binary_name": "vim-runtime",
"binary_version": "2:9.1.0967-1ubuntu6.8"
},
{
"binary_name": "vim-tiny",
"binary_version": "2:9.1.0967-1ubuntu6.8"
},
{
"binary_name": "xxd",
"binary_version": "2:9.1.0967-1ubuntu6.8"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "vim",
"purl": "pkg:deb/ubuntu/vim@2:9.1.0967-1ubuntu6.8?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:9.1.0967-1ubuntu6.8"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:9.1.0967-1ubuntu4",
"2:9.1.0967-1ubuntu5",
"2:9.1.0967-1ubuntu6",
"2:9.1.0967-1ubuntu6.1",
"2:9.1.0967-1ubuntu6.2",
"2:9.1.0967-1ubuntu6.3",
"2:9.1.0967-1ubuntu6.4",
"2:9.1.0967-1ubuntu6.5",
"2:9.1.0967-1ubuntu6.6",
"2:9.1.0967-1ubuntu6.7"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "vim",
"binary_version": "2:9.1.2141-1ubuntu4.6"
},
{
"binary_name": "vim-common",
"binary_version": "2:9.1.2141-1ubuntu4.6"
},
{
"binary_name": "vim-gtk3",
"binary_version": "2:9.1.2141-1ubuntu4.6"
},
{
"binary_name": "vim-gui-common",
"binary_version": "2:9.1.2141-1ubuntu4.6"
},
{
"binary_name": "vim-motif",
"binary_version": "2:9.1.2141-1ubuntu4.6"
},
{
"binary_name": "vim-nox",
"binary_version": "2:9.1.2141-1ubuntu4.6"
},
{
"binary_name": "vim-runtime",
"binary_version": "2:9.1.2141-1ubuntu4.6"
},
{
"binary_name": "vim-tiny",
"binary_version": "2:9.1.2141-1ubuntu4.6"
},
{
"binary_name": "xxd",
"binary_version": "2:9.1.2141-1ubuntu4.6"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "vim",
"purl": "pkg:deb/ubuntu/vim@2:9.1.2141-1ubuntu4.6?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:9.1.2141-1ubuntu4.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:9.1.0967-1ubuntu6",
"2:9.1.1882-1ubuntu1",
"2:9.1.1882-1ubuntu2",
"2:9.1.2141-1ubuntu1",
"2:9.1.2141-1ubuntu2",
"2:9.1.2141-1ubuntu4",
"2:9.1.2141-1ubuntu4.1",
"2:9.1.2141-1ubuntu4.2",
"2:9.1.2141-1ubuntu4.3",
"2:9.1.2141-1ubuntu4.5"
]
}
],
"aliases": [],
"details": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
"id": "UBUNTU-CVE-2026-55892",
"modified": "2026-07-02T20:49:18Z",
"published": "2026-06-25T16:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-55892"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55892"
},
{
"type": "REPORT",
"url": "https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8500-1"
}
],
"related": [
"USN-8500-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-55892"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.