CVE-2026-32249

MEDIUM EPSS 3.2%
Published Mar 12, 20263mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Mar 12, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 1

VendorProductVersionRange
vimvim*≥9.1.0011  –  <9.1.0137

References 3

  • github.com https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec
    Patch
  • github.com https://github.com/vim/vim/releases/tag/v9.2.0137
    Release Notes
  • github.com https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r
    Vendor Advisory

Remediation

  • github.com https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec
    Patch