Out-of-Bounds Read Vulnerability in Vim Text Editor
CVE-2026-57454

6.8MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
25 June 2026

What is CVE-2026-57454?

Vim, a widely-used open-source command line text editor, suffers from an out-of-bounds read vulnerability that affects versions between 9.2.0320 and 9.2.0679. When processing crafted undo or swap files, the editor may attempt to read a virtual text property using an improper offset, which can lead to accessing memory outside the intended scope. This flaw may crash the editor or expose adjacent heap memory contents, potentially compromising system stability and data security. Users are advised to update to version 9.2.0679 or later to mitigate this risk.

Affected Version(s)

vim >= 9.2.0320, < 9.2.0679

References

https://github.com/vim/vim/security/advisories/GHSA-ww8h-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/b3faeecc976d3031d7c0675...
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.2.0679
x_refsource_MISC

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.