Vim Vulnerability in NFA Regex Compiler for Open Source Text Editor
CVE-2026-32249

5.3MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
12 March 2026

What is CVE-2026-32249?

The NFA regex compiler in Vim, an open-source command line text editor, is susceptible to a vulnerability that occurs when it encounters a collection with a combining character at the end of a character range. This issue can lead to the compiler emitting incorrect state representations, ultimately corrupting the postfix stack. Such corruption triggers a segmentation fault during subsequent operations, specifically in the match width estimation process. This vulnerability impacts multiple versions of Vim, necessitating prompt updating to version 9.2.0137 or later to mitigate potential risks.

Affected Version(s)

vim >= 9.1.0011, < 9.2.0137

References

https://github.com/vim/vim/security/advisories/GHSA-9phh-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/36d6e87542cf823d833e451...
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0137
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.