CVE-2026-52859
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
In Vim, prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copied the visible terminal screen into the scrollback buffer, which could lead to out-of-bounds array access. As a result, a program rendered inside a :terminal window could trigger a crash.
Risk Assessment
Organizations may experience crashes of the Vim editor, potentially leading to data loss or work interruptions. In particular, applications running in the terminal may be susceptible to unforeseen issues.
Recommendation
It is recommended to update Vim to version 9.2.0565 or later to mitigate this vulnerability. Additionally, monitoring applications running in the terminal may help identify potential issues.
Original NVD description (English source)
Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.

