Heap-Based Buffer Overflow in Vim Command Line Text Editor
CVE-2026-28418

4.4MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28418?

Vim, an open-source command line text editor, contains a heap-based buffer overflow vulnerability that occurs during the parsing of Emacs-style tags files. This flaw allows an attacker to craft a malformed tags file which can trick Vim into accessing memory beyond the allocated buffer, potentially leading to unintended memory disclosure or application instability. Users are advised to upgrade to version 9.2.0074 or later to mitigate this issue and ensure safe operation.

Affected Version(s)

vim < 9.2.0074

References

https://github.com/vim/vim/security/advisories/GHSA-h4mf-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0074
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.