CVE-2026-57451
Undergoing Analysis Undergoing Analysis - In Progress
Out-of-Bounds Read in Vim Text Property Handling

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-57451
EUVD
EUVD-2026-39449
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vim vim 9.2.0670
vim vim to 9.2.0670 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade Vim to version 9.2.0670 or later, where the vulnerability has been fixed by adding validation checks on the text property count in undo files.

If upgrading is not immediately possible, consider disabling the 'undofile' feature in Vim to prevent reading potentially malicious undo files.

You can disable the undofile feature by adding the following line to your vimrc configuration file:

  • set noundofile

Additionally, avoid opening files with untrusted or suspicious undo files until the patch is applied.

Executive Summary

CVE-2026-57451 is an out-of-bounds read vulnerability in the Vim text editor versions prior to 9.2.0670. It occurs in the get_text_props() function, which reads a uint16 property count stored inline after a line's text and uses it to determine how many 32-byte text property entries follow. However, the function only checks that there is room for a single entry and does not verify if the count matches the actual data length. This flaw allows an attacker to craft a line with a large property count but minimal data, causing the program to read beyond the end of the line buffer.

This vulnerability can be triggered through a malicious undo file that Vim reads if the 'undofile' option is enabled and the file's content hash matches. Exploitation requires user interaction such as opening a file, performing an undo operation, and displaying the affected line. The result can be a crash or memory leaks due to out-of-bounds reads.

Impact Analysis

This vulnerability can impact users by causing Vim to crash or leak memory when processing specially crafted undo files. The out-of-bounds read can lead to memory corruption, which affects the availability of the application.

The CVSS score for this vulnerability is 5.3 (Medium), indicating a moderate severity with low confidentiality impact but high impact on availability.

Detection Guidance

This vulnerability can be detected by checking if your Vim installation is a version prior to 9.2.0670, as those versions are vulnerable to crafted undo files causing out-of-bounds reads.

Detection involves verifying the Vim version and inspecting undo files (.un~) for suspiciously large or malformed text property counts that could trigger the vulnerability.

Since the vulnerability is triggered by opening a file with a crafted undo file and performing undo operations, monitoring for crashes or memory errors in Vim during such operations can also indicate exploitation attempts.

No specific detection commands are provided in the resources, but you can check your Vim version with the command:

  • vim --version

Additionally, you can search for undo files in your project directories with:

  • find . -name '*.un~'

Reviewing these undo files for unusual sizes or recent modifications may help identify potentially malicious files.

Compliance Impact

CVE-2026-57451 is an out-of-bounds read vulnerability in Vim that can lead to memory leaks of property metadata and application crashes. The confidentiality impact is rated as low, and availability impact is high according to the CVSS score.

There is no explicit information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57451. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart