CVE-2026-55693

UNKNOWN 0.0

Vim: Out-of-bounds Write in Spell File Word Count

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.

CWE	CWE-787
Vendor	vim
Product	vim
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for vim vim

Be the first to know when new unknown vulnerabilities affecting vim vim are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

vim / vim

< 9.2.0653

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/vim/vim/security/advisories/GHSA-wgh4-64f7-q3jq github.com: https://github.com/vim/vim/commit/a80874d9b84a01040e3d1aef2d4a59e1934dafb7 github.com: https://github.com/vim/vim/releases/tag/v9.2.0653