Executive Summary

CVE-2026-55693 is a stack out-of-bounds write vulnerability in the Vim text editor versions prior to 9.2.0653. It occurs in the tree_count_words() function, which processes spell-file word tries by iteratively traversing a trie structure using a depth counter. This counter is not checked against the fixed size of certain stack arrays (arridx[], curi[], wordcount[]), each limited to 254 elements (MAXWLEN). A specially crafted pair of .spl and .sug spell files can cause the function to descend too deeply, writing past the end of these arrays. This corrupts the call frame and crashes the editor when spell suggestion is invoked.

The vulnerability is triggered when a user enables spell checking and requests spell suggestions on a misspelled word. On systems with stack protection, the overflow may be detected and cause the process to abort. Cyclic trie structures can also cause crashes by walking into stack guard pages. The issue was fixed in Vim patch version 9.2.0653 by adding depth checks to prevent exceeding array bounds.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the Vim editor to crash due to stack corruption when processing maliciously crafted spell files. This results in denial of service by making the editor unusable during spell suggestion.

In some cases, the stack out-of-bounds write could potentially be exploited for arbitrary code execution, although the primary impact is crashing the editor.

The attack vector involves delivering a malicious .spl/.sug spell file pair, which Vim loads based on user configurations, so users who open or enable spell checking with such files are at risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is triggered when Vim loads a specially crafted .spl/.sug spell file pair and the user invokes spell suggestion on a misspelled word. Detection involves checking if your Vim installation is vulnerable by verifying the version and testing spell suggestion functionality with crafted spell files.

To detect if your Vim version is vulnerable, first check the Vim version with the command:

• vim --version

If the version is prior to 9.2.0653, it is vulnerable. Additionally, you can test spell suggestion on a misspelled word with spell checking enabled to see if the editor crashes, which may indicate exploitation.

There are no specific network detection commands since the attack vector involves local spell files loaded by Vim, but monitoring for crashes or abnormal terminations of Vim during spell suggestion can be an indicator.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Vim to version 9.2.0653 or later, where the vulnerability has been fixed by adding proper depth checks in the spell file processing functions.

Until the upgrade can be applied, avoid loading or using untrusted or suspicious .spl/.sug spell files, and refrain from invoking spell suggestion on potentially malicious spell files.

Additionally, monitor for any crashes of Vim related to spell suggestion and consider restricting user ability to load custom spell files if possible.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0