CVE-2026-45130

MEDIUM 6.6

Vim: Heap Buffer Overflow in spell file loading

CVSS Score

6.6

EPSS Score

0.0%

EPSS Percentile

0th

Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.

CWE	CWE-122 CWE-190
Vendor	vim
Product	vim
Published	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for vim vim

Be the first to know when new medium vulnerabilities affecting vim vim are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Affected Versions

vim / vim

< 9.2.0450

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv github.com: https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8 github.com: https://github.com/vim/vim/releases/tag/v9.2.0450