CVE-2026-55892

MEDIUM 5.5

Vim: Out-of-bounds Write in Spell File Prefix Dump

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

0th

Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.

CWE	CWE-787
Vendor	vim
Product	vim
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for vim vim

Be the first to know when new medium vulnerabilities affecting vim vim are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

vim / vim

< 9.2.0662

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h github.com: https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f github.com: https://github.com/vim/vim/releases/tag/v9.2.0662