CVE-2026-32249

MEDIUM 5.3

NFA regex engine NULL pointer dereference affects Vim < 9.2.0137

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.

CWE	CWE-476
Vendor	vim
Product	vim
Published	Mar 12, 2026
Last Updated	Mar 13, 2026

Stay Ahead of the Next One

Get instant alerts for vim vim

Be the first to know when new medium vulnerabilities affecting vim vim are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

vim / vim

>= 9.1.0011, < 9.2.0137

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r github.com: https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec github.com: https://github.com/vim/vim/releases/tag/v9.2.0137