CVE-2026-45130

EUVD-2026-28871

08.05.2026, 23:16

Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.6 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Affected Products (NVD)

Vendor	Product	Version
neovim	neovim	𝑥 ≤ 0.12.2
vim	vim	𝑥 < 9.2.0450

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

vim

bookworm	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	2:9.2.0524-1 fixed
sid	2:9.2.0524-1 fixed
trixie	vulnerable

openSUSE / SLES Releases

openSUSE Product

Release

gvim

suse enterprise sap 15 SP5	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP6	9.2.0530-150500.20.52.1 fixed
suse enterprise server 12 SP3	9.2.0530-17.68.1 fixed
suse enterprise server 12 SP5	9.2.0530-17.68.1 fixed
suse enterprise server 15 SP4	9.2.0530-150000.5.94.1 fixed
suse enterprise server 15 SP5	9.2.0530-150500.20.52.1 fixed
suse enterprise server 15 SP6	9.2.0530-150500.20.52.1 fixed

vim

suse enterprise desktop 15 SP7	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP5	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP6	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP7	9.2.0530-150500.20.52.1 fixed
suse enterprise server 12 SP3	9.2.0530-17.68.1 fixed
suse enterprise server 12 SP5	9.2.0530-17.68.1 fixed
suse enterprise server 15 SP4	9.2.0530-150000.5.94.1 fixed
suse enterprise server 15 SP5	9.2.0530-150500.20.52.1 fixed
suse enterprise server 15 SP6	9.2.0530-150500.20.52.1 fixed
suse enterprise server 15 SP7	9.2.0530-150500.20.52.1 fixed

vim-data

suse enterprise desktop 15 SP7	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP5	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP6	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP7	9.2.0530-150500.20.52.1 fixed
suse enterprise server 12 SP3	9.2.0530-17.68.1 fixed
suse enterprise server 12 SP5	9.2.0530-17.68.1 fixed
suse enterprise server 15 SP4	9.2.0530-150000.5.94.1 fixed
suse enterprise server 15 SP5	9.2.0530-150500.20.52.1 fixed
suse enterprise server 15 SP6	9.2.0530-150500.20.52.1 fixed
suse enterprise server 15 SP7	9.2.0530-150500.20.52.1 fixed

vim-data-common

suse enterprise desktop 15 SP7	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP5	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP6	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP7	9.2.0530-150500.20.52.1 fixed
suse enterprise server 12 SP3	9.2.0530-17.68.1 fixed
suse enterprise server 12 SP5	9.2.0530-17.68.1 fixed
suse enterprise server 15 SP4	9.2.0530-150000.5.94.1 fixed
suse enterprise server 15 SP5	9.2.0530-150500.20.52.1 fixed
suse enterprise server 15 SP6	9.2.0530-150500.20.52.1 fixed
suse enterprise server 15 SP7	9.2.0530-150500.20.52.1 fixed

vim-small

suse enterprise desktop 15 SP7	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP5	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP6	9.2.0530-150500.20.52.1 fixed
suse enterprise sap 15 SP7	9.2.0530-150500.20.52.1 fixed
suse enterprise server 15 SP4	9.2.0530-150000.5.94.1 fixed
suse enterprise server 15 SP5	9.2.0530-150500.20.52.1 fixed
suse enterprise server 15 SP6	9.2.0530-150500.20.52.1 fixed
suse enterprise server 15 SP7	9.2.0530-150500.20.52.1 fixed

Amazon Linux Releases

Amazon Package

Release

vim-common

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

vim-data

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

vim-debuginfo

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

vim-debugsource

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

vim-default-editor

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

vim-enhanced

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

vim-enhanced-debuginfo

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

vim-filesystem

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

vim-minimal

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

vim-minimal-debuginfo

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

xxd

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

xxd-debuginfo

Amazon Linux 2023

2:9.2.597-1.amzn2023.0.1

fixed

Azure Linux Releases

Azure Package

Release

vim

Azure Linux 3.0

0:9.2.0461-1.azl3

fixed

Known Exploits!

https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

References

https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8

https://github.com/vim/vim/releases/tag/v9.2.0450

https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv

http://www.openwall.com/lists/oss-security/2026/05/14/3