CVE-2026-25749

MEDIUM EPSS 11.6%
Published Feb 6, 20264mo ago · Modified Jun 17, 20262w ago
6.6 CVSS 3.1
Medium
Find Similar
Published Feb 6, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.

CVSS Details

Base Score
6.6
Exploitability
1.3
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
11.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-122

Affected Products 2

VendorProductVersionRange
neovimneovim* ≤0.11.6
vimvim* <9.1.2132

References 3

  • github.com https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9
    Patch
  • github.com https://github.com/vim/vim/releases/tag/v9.1.2132
    Product
  • github.com https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43
    ExploitPatchVendor Advisory

Remediation

  • github.com https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9
    Patch
  • github.com https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43
    ExploitPatchVendor Advisory