Stack Buffer Overflow in Vim Command Line Text Editor
CVE-2026-28422

2.2LOW

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28422?

A stack buffer overflow vulnerability exists in Vim, an open source command line text editor, prior to version 9.2.0078. The issue occurs in the build_stl_str_hl() function when rendering a statusline using a multi-byte fill character on wide terminals. This vulnerability could potentially allow an attacker to manipulate memory and execute arbitrary code. Users should upgrade to version 9.2.0078 or later to mitigate this security risk.

Affected Version(s)

vim < 9.2.0078

References

https://github.com/vim/vim/security/advisories/GHSA-gmqx-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/4e5b9e31cb7484ad156f
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0078
x_refsource_MISC

CVSS V3.1

Score:
2.2
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.