CVE-2026-52859

MEDIUM EPSS 21.9%
Published Jun 11, 20262w ago · Modified Jun 17, 20262w ago
6.9 CVSS 4.0
Medium
Find Similar
Published Jun 11, 2026 2w ago
Last Modified Jun 17, 2026 2w ago

Description

Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
21.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 1

VendorProductVersionRange
vimvim* <9.2.0565

References 3

  • github.com https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19
    Patch
  • github.com https://github.com/vim/vim/releases/tag/v9.2.0565
    Release Notes
  • github.com https://github.com/vim/vim/security/advisories/GHSA-47gw-8gc3-mgcm
    Vendor Advisory

Remediation

  • github.com https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19
    Patch