<Vulnerability name="CVE-2026-57451">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-25T15:28:50</PublicDate>
    <Bugzilla id="2492978" url="https://bugzilla.redhat.com/show_bug.cgi?id=2492978" xml:lang="en:us">
vim: Vim: Denial of service via crafted undo file
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>5.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-125</CWE>
    <Details xml:lang="en:us" source="Mitre">
Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw in Vim allows an attacker to cause a Denial of Service (DoS) via an application crash. If a user opens a maliciously crafted undo file, an out-of-bounds read is triggered in the get_text_props() function due to missing length validation on property counts.
    </Details>
    <Statement xml:lang="en:us">
Exploitation requires specific user interaction; the vulnerability only triggers when a local user is tricked into opening a specially crafted undo file in Vim. This limits the attack surface to scenarios where untrusted files are intentionally processed
    </Statement>
    <Mitigation xml:lang="en:us">
Users are advised to avoid opening or processing undo files from untrusted or unknown sources. If your team compiles Vim from source, ensure standard compiler security flags (like -D_FORTIFY_SOURCE=2 or 3) are enabled. This provides a safety net by detecting out-of-bounds reads and safely terminating the application before exploitation can occur.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>vim</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>vim</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>vim</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>vim</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>vim</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhcos</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-57451
https://nvd.nist.gov/vuln/detail/CVE-2026-57451
https://github.com/vim/vim/commit/b2338ca90643e2f01ecb6547c1172716aaec4f79
https://github.com/vim/vim/releases/tag/v9.2.0670
https://github.com/vim/vim/security/advisories/GHSA-f36c-2qcp-7gpw
    </References>
</Vulnerability>