CVE-2026-25749

EUVD-2026-6930
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.6 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
GitHub_MCNA
6.6 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
vimvim
𝑥
< 9.1.2132
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
vim
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
2:9.1.2141-1
fixed
sid
2:9.1.2141-1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9
https://github.com/vim/vim/releases/tag/v9.1.2132
https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43