Heap-Based Buffer Overflow in Vim Command Line Text Editor
CVE-2026-28420

4.4MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28420?

Vim, an open-source command line text editor, has reported a heap-based buffer overflow vulnerability in its terminal emulator. This issue arises when processing maximum combining characters from Unicode supplementary planes, leading to potential security risks. Users are advised to update to version 9.2.0076 or later to mitigate this vulnerability, ensuring the integrity and security of their text editing operations.

Affected Version(s)

vim < 9.2.0076

References

https://github.com/vim/vim/security/advisories/GHSA-rvj2-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/bb6de2105b160e729c34063
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0076
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.