CVE-2026-52859
Analyzed Analyzed - Analysis Complete

Heap Buffer Overflow in Vim Text Editor

Vulnerability report for CVE-2026-52859, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots β€” a base character plus five combining marks β€” the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-15
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vim vim to 9.2.0565 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-52859 is an out-of-bounds read vulnerability in the Vim text editor versions prior to 9.2.0565. It occurs in the update_snapshot() function in src/terminal.c, which copies the visible terminal screen into the scrollback buffer. The function processes each screen cell's character array without checking an upper bound, stopping only at a NUL terminator. However, when a cell contains the maximum allowed six characters (a base character plus five combining marks), the bundled libvterm returns the array without a terminating NUL. This causes the function to read beyond the fixed six-element array, appending out-of-bounds values to a buffer reserved for only six characters.

An attacker can exploit this by sending a specific short byte sequence to a terminal window in Vim, which triggers the out-of-bounds read and leads to a crash of the Vim editor.

The vulnerability was fixed in Vim version 9.2.0565 by adding a loop bound check to ensure the character processing does not exceed the maximum allowed characters per cell.

Impact Analysis

This vulnerability can cause the Vim editor to crash when processing certain terminal output containing a specific byte sequence. This results in a denial of service (DoS) condition, where the user loses access to the Vim editor until it is restarted.

Since the issue is triggered by output rendered inside a :terminal window, an attacker who can control terminal output could exploit this to disrupt a user's workflow or automated processes relying on Vim.

Detection Guidance

This vulnerability is triggered by a specific byte sequence sent to a Vim terminal window that causes an out-of-bounds read and crash. Detection involves identifying if Vim versions prior to 9.2.0565 are running and if any terminal output could trigger this issue.

Since the vulnerability causes a crash in Vim when processing terminal output, monitoring for unexpected Vim crashes or core dumps related to terminal usage can be an indicator.

There are no specific commands provided in the resources to detect the vulnerability directly on the network or system.

Mitigation Strategies

The primary mitigation step is to update Vim to version 9.2.0565 or later, where the vulnerability has been fixed by adding proper bounds checking in the update_snapshot() function.

Until the update can be applied, avoid running untrusted programs or processing untrusted terminal output inside Vim terminal windows, as the vulnerability can be triggered by a crafted byte sequence.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart