CVE-2026-25749

Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.

CVSS v3 6.6 MEDIUM

6.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.3 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9	Patch
https://github.com/vim/vim/releases/tag/v9.1.2132	Product
https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43	Exploit Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-06 23:15

Updated : 2026-02-20 15:45

NVD link : CVE-2026-25749

Mitre link : CVE-2026-25749

CVE.ORG link : CVE-2026-25749

JSON object : View

Products Affected

vim

vim

CWE

CWE-122

Heap-based Buffer Overflow

{"id": "CVE-2026-25749", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.3}]}, "published": "2026-02-06T23:15:54.230", "references": [{"url": "https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vim/vim/releases/tag/v9.1.2132", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-122"}]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132."}, {"lang": "es", "value": "Vim es un editor de texto de c\u00f3digo abierto de l\u00ednea de comandos. Antes de la versi\u00f3n 9.1.2132, existe una vulnerabilidad de desbordamiento de b\u00fafer de pila en la l\u00f3gica de resoluci\u00f3n de archivos de etiquetas de Vim al procesar la opci\u00f3n 'helpfile'. La vulnerabilidad se encuentra en la funci\u00f3n get_tagfname() en src/tag.c. Al procesar etiquetas de archivos de ayuda, Vim copia el valor de la opci\u00f3n 'helpfile' controlado por el usuario en un b\u00fafer de pila de tama\u00f1o fijo de MAXPATHL + 1 bytes (t\u00edpicamente 4097 bytes) utilizando una operaci\u00f3n STRCPY() insegura sin ninguna comprobaci\u00f3n de l\u00edmites. Este problema ha sido parcheado en la versi\u00f3n 9.1.2132."}], "lastModified": "2026-02-20T15:45:19.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2023836A-3D6F-41D5-905A-7A0E8C1AA874", "versionEndExcluding": "9.1.2132"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}