CVE Catalog

CVE-2026-55892

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

In Vim before version 9.2.0662, the dump_prefixes() function in src/spell.c does not check the depth of recursion against the size of stack arrays (prefix[], arridx[], curi[]) when processing prefixes from a .spl file. A crafted .spl file can cause an out-of-bounds write on the stack, corrupting the call frame and crashing the editor.

Risk Assessment

An attacker can provide a malicious .spl file that, when opened by the user (e.g., while dumping the word list), crashes Vim. This could lead to loss of unsaved data or potentially arbitrary code execution in the context of the editor process.

Recommendation

Immediately update Vim to version 9.2.0662 or later. Avoid opening untrusted .spl files until the update is applied.

Original NVD description (English source)

Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS