CVE-2026-55892
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
In Vim before version 9.2.0662, the dump_prefixes() function in src/spell.c does not check the depth of recursion against the size of stack arrays (prefix[], arridx[], curi[]) when processing prefixes from a .spl file. A crafted .spl file can cause an out-of-bounds write on the stack, corrupting the call frame and crashing the editor.
Risk Assessment
An attacker can provide a malicious .spl file that, when opened by the user (e.g., while dumping the word list), crashes Vim. This could lead to loss of unsaved data or potentially arbitrary code execution in the context of the editor process.
Recommendation
Immediately update Vim to version 9.2.0662 or later. Avoid opening untrusted .spl files until the update is applied.
Original NVD description (English source)
Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.

