CVE Catalog

CVE-2026-52859

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile - higher than 21% of all known CVEs

Summary

In Vim, prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copied the visible terminal screen into the scrollback buffer, which could lead to out-of-bounds array access. As a result, a program rendered inside a :terminal window could trigger a crash.

Risk Assessment

Organizations may experience crashes of the Vim editor, potentially leading to data loss or work interruptions. In particular, applications running in the terminal may be susceptible to unforeseen issues.

Recommendation

It is recommended to update Vim to version 9.2.0565 or later to mitigate this vulnerability. Additionally, monitoring applications running in the terminal may help identify potential issues.

Original NVD description (English source)

Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS