CVE-2026-59857
Analyzed Analyzed - Analysis Complete

Buffer Overflow in Vim Text Editor via SAL Sound-Folding Rules

Vulnerability report for CVE-2026-59857, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vim vim to 9.2.0725 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Vim, an open source command line text editor, specifically in versions prior to 9.2.0725. The issue is in the single-byte branch of the function spell_soundfold_sal() located in src/spell.c. The function translates a word using a spell file's SAL sound-folding rules into a buffer owned by the caller. However, the code only checks that the length of the result (reslen) is less than MAXWLEN before writing a null byte, allowing reslen to reach MAXWLEN and causing a write one byte past the end of the stack buffer. This buffer overflow can occur when a boundary-length word is processed through soundfold() or during sound-based spell suggestions with a SAL-based spell language active under a non-multibyte 8-bit encoding. The overflow can corrupt the eval_soundfold() stack frame and crash the editor.

Impact Analysis

This vulnerability can cause the Vim editor to crash due to stack corruption when processing certain words with sound-based spell suggestions under specific encoding conditions. While it does not directly indicate remote code execution or data leakage, the crash can disrupt normal use of the editor and potentially lead to denial of service for users relying on Vim.

Mitigation Strategies

To mitigate this vulnerability, update Vim to version 9.2.0725 or later, where the issue has been fixed.

Detection Guidance

This vulnerability occurs in Vim versions prior to 9.2.0725 when using a non-multibyte 8-bit encoding (e.g., latin1) with spell checking enabled for a SAL-based spell language. Detection involves verifying the Vim version and configuration.

  • Check the installed Vim version to see if it is older than 9.2.0725: `vim --version`
  • Within Vim, check the encoding setting: `:set encoding?` (should not be a non-multibyte 8-bit encoding like latin1 to be vulnerable)
  • Check if spell checking is enabled and using a SAL-based spell language: `:set spell?` and inspect the spell language with `:set spelllang?`

Because the vulnerability triggers on processing a boundary-length word (exactly MAXWLEN bytes) through the soundfold() function with SAL rules, direct detection on a network or system would involve attempting to reproduce the crash by passing crafted input to Vim under these conditions.

No specific network commands or automated detection scripts are provided in the resources. Manual verification of Vim version and configuration is the primary detection method.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-59857 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59857. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart