Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-06-11T18:33:09 vim: Vim: Denial of Service via out-of-bounds write in terminal handling 5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CWE-787

Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.

A flaw was found in Vim, an open-source command-line text editor. This vulnerability allows a program displaying output in a Vim terminal window to trigger an out-of-bounds write by sending a specific byte sequence. This can lead to a crash of the Vim application, resulting in a Denial of Service (DoS) for the user.

This Moderate flaw in Vim allows a local attacker to cause a denial of service. By displaying specially crafted output within a Vim `:terminal` window, an attacker can trigger an out-of-bounds write, leading to the application crashing. This primarily impacts users who interact with untrusted content or execute untrusted programs within Vim's terminal emulator. Users should exercise caution when opening untrusted files or executing untrusted programs within vim's `:terminal` window. Avoiding interaction with untrusted content in this context can prevent the exploitation of this vulnerability, which leads to a denial of service. Red Hat Enterprise Linux 10 Fix deferred vim Red Hat Enterprise Linux 6 Out of support scope vim Red Hat Enterprise Linux 7 Out of support scope vim Red Hat Enterprise Linux 8 Fix deferred vim Red Hat Enterprise Linux 9 Fix deferred vim Red Hat OpenShift Container Platform 4 Fix deferred rhcos https://www.cve.org/CVERecord?id=CVE-2026-52859 https://nvd.nist.gov/vuln/detail/CVE-2026-52859 https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19 https://github.com/vim/vim/releases/tag/v9.2.0565 https://github.com/vim/vim/security/advisories/GHSA-47gw-8gc3-mgcm