CVE-2026-57455
Undergoing Analysis Undergoing Analysis - In Progress
Stack Out-of-Bounds Write in Vim Text Editor

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-57455
EUVD
EUVD-2026-39437
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vim vim 9.2.0698
vim vim to 9.2.0698 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-57455 is a stack-based out-of-bounds write vulnerability in the Vim text editor versions prior to 9.2.0698. It occurs in the function spell_soundfold_sofo() within src/spell.c, which translates words using a spell file's SOFO (sound-folding) byte map.

The vulnerability arises because the single-byte branch of this function copies input bytes into a fixed-size stack buffer without proper bounds checking. Specifically, the copy loop advances an output index without limiting it to the buffer's maximum length (MAXWLEN). If a word longer than MAXWLEN (253 bytes) is processed, the function writes past the end of the buffer, corrupting the call frame and causing the editor to crash.

This issue is triggered when using a non-multibyte 8-bit encoding like latin1, with spell checking enabled for a SOFO-based language, and processing an overly long word, such as from untrusted input in a script or plugin. The vulnerability was fixed in Vim version 9.2.0698 by adding proper bounds checking.

Impact Analysis

This vulnerability can cause the Vim editor to crash due to stack corruption when processing specially crafted long words under certain spell checking conditions.

Because the out-of-bounds write corrupts the call frame, it could potentially be exploited to execute arbitrary code, although exploitation requires specific conditions such as using an 8-bit encoding like latin1, enabling spell checking with a SOFO-based language, and processing untrusted input.

In practical terms, this means an attacker could cause denial of service by crashing Vim or potentially execute malicious code if they can control the input to the soundfold() function.

Detection Guidance

This vulnerability manifests as a stack out-of-bounds write in Vim when processing words longer than 253 bytes under a SOFO-based spell language with single-byte encoding (e.g., latin1). Detection involves verifying the Vim version and configuration.

  • Check the installed Vim version to see if it is prior to 9.2.0698, which is vulnerable.
  • Verify if Vim is configured to use a single-byte encoding such as latin1 by running: vim --cmd 'set encoding?' -c 'q'
  • Check if spell checking is enabled with a SOFO-based spell language active.
  • Attempt to reproduce the crash by invoking spell suggestions on words longer than 253 bytes in Vim with the above configuration.
Mitigation Strategies

The primary mitigation is to upgrade Vim to version 9.2.0698 or later, where the vulnerability has been fixed.

Alternatively, if upgrading immediately is not possible, avoid using single-byte encodings like latin1 with SOFO-based spell checking enabled, and avoid processing or accepting untrusted input that could trigger the soundfold() function on overly long words.

Disabling spell checking or switching to UTF-8 encoding, which uses a safe multibyte branch with bounds checking, can also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57455. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart