CVE-2026-57452
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
Vim before version 9.2.0671 has a vulnerability when opening files encrypted with VimCrypt~04! or VimCrypt~05! (xchacha20poly1305, requires +sodium feature). If the file body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim.
Risk Assessment
An attacker can crash Vim by providing a specially crafted short encrypted file, leading to a denial of service (DoS) for the user attempting to open it.
Recommendation
Update Vim to version 9.2.0671 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.

