Command Line Text Editor Vulnerability in Vim by Vim
CVE-2026-57452

5.5MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
25 June 2026

What is CVE-2026-57452?

Vim, the widely used open-source command line text editor, contains a vulnerability that arises when opening files encrypted with the VimCrypt~04! or VimCrypt~05! methods, specifically using the xchacha20poly1305 algorithm and requiring the +sodium feature. When these files have a body shorter than a single libsodium secretstream header, an unsigned length calculation can underflow, leading to a buffer overflow during decryption. This mishandling can crash Vim, making it critical for users to update to version 9.2.0671 where this issue is addressed.

Affected Version(s)

vim < 9.2.0671

References

https://github.com/vim/vim/security/advisories/GHSA-c4j9-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/c8777cec25dcfae89c42e9a...
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0671
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.