{
  "threat_severity" : "Low",
  "public_date" : "2026-03-12T19:17:23Z",
  "bugzilla" : {
    "description" : "vim: NFA regex engine NULL pointer dereference",
    "id" : "2447110",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2447110"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-476",
  "details" : [ "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "A flaw was found in Vim. A NULL pointer dereference can occur when the NFA regex compiler processes a specific character collection, more specifically one that contains a combining character acting as the endpoint of a character range (e.g., [0-0\\u05bb]). A process or user that can supply a regex pattern can cause an application crash, resulting in a denial of service." ],
  "statement" : "To exploit this issue, an attacker needs to be able to supply a malicious regex pattern to be processed by the NFA regex compiler, including via plugins or command line arguments. Also, this flaw can cause an application crash, resulting only in a denial of service with no other security impact. Due to these reasons, this vulnerability has been rated with low severity.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32249\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32249\nhttps://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec\nhttps://github.com/vim/vim/releases/tag/v9.2.0137\nhttps://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r" ],
  "name" : "CVE-2026-32249",
  "mitigation" : {
    "value" : "To mitigate this vulnerability, disable the NFA (Non-deterministic Finite Automaton) regex engine and enable the traditional backtracking engine by adding the following option to the Vim configuration file:\n~~~\nset regexpengine=1\n~~~",
    "lang" : "en:us"
  },
  "csaw" : false
}