CVE-2026-45130
Heap Buffer Overflow in Vim Text Editor
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vim | vim | to 9.2.0450 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Vim, an open source command line text editor, prior to version 9.2.0450. It is a heap buffer overflow in the read_compound() function located in src/spellfile.c. The issue occurs when loading a specially crafted spell file (.spl) with UTF-8 encoding active. An attacker can manipulate a length field in the spell file's compound section, causing an integer multiplication overflow that results in a smaller buffer being allocated than needed. This leads to a heap overflow during a write loop.
Additionally, because the 'spelllang' option can be set from a modeline in a text file, a malicious text file with a modeline can trigger the loading of a crafted spell file if that file has been placed on the runtimepath. This allows the vulnerability to be exploited indirectly through opening a text file.
The vulnerability has been fixed in Vim version 9.2.0450.
How can this vulnerability impact me? :
This vulnerability can lead to a heap buffer overflow, which may allow an attacker to execute arbitrary code, cause a denial of service (application crash), or potentially escalate privileges when a user opens a malicious text file or spell file in Vim.
Since the vulnerability can be triggered by a crafted spell file or indirectly via a modeline in a text file, it poses a risk to users who open untrusted files in Vim with spell checking enabled.
The CVSS v3.1 base score of 6.6 indicates a medium severity with local attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and high impact on availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Vim to version 9.2.0450 or later, where the heap buffer overflow issue has been patched.
Additionally, avoid loading untrusted or malicious .spl spell files, especially those that could be planted on the runtimepath and triggered via modelines.