CVE-2026-45130
Analyzed Analyzed - Analysis Complete
Heap Buffer Overflow in Vim Text Editor

Publication date: 2026-05-08

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-06-09
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45130
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vim vim to 9.2.0450 (exc)
neovim neovim to 0.12.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Vim, an open source command line text editor, prior to version 9.2.0450. It is a heap buffer overflow in the read_compound() function located in src/spellfile.c. The issue occurs when loading a specially crafted spell file (.spl) with UTF-8 encoding active. An attacker can manipulate a length field in the spell file's compound section, causing an integer multiplication overflow that results in a smaller buffer being allocated than needed. This leads to a heap overflow during a write loop.

Additionally, because the 'spelllang' option can be set from a modeline in a text file, a malicious text file with a modeline can trigger the loading of a crafted spell file if that file has been placed on the runtimepath. This allows the vulnerability to be exploited indirectly through opening a text file.

The vulnerability has been fixed in Vim version 9.2.0450.

Impact Analysis

This vulnerability can lead to a heap buffer overflow, which may allow an attacker to execute arbitrary code, cause a denial of service (application crash), or potentially escalate privileges when a user opens a malicious text file or spell file in Vim.

Since the vulnerability can be triggered by a crafted spell file or indirectly via a modeline in a text file, it poses a risk to users who open untrusted files in Vim with spell checking enabled.

The CVSS v3.1 base score of 6.6 indicates a medium severity with local attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and high impact on availability.

Mitigation Strategies

To mitigate this vulnerability, update Vim to version 9.2.0450 or later, where the heap buffer overflow issue has been patched.

Additionally, avoid loading untrusted or malicious .spl spell files, especially those that could be planted on the runtimepath and triggered via modelines.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45130. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart