CVE-2026-32249

{"id": "CVE-2026-32249", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-03-12T20:16:05.523", "references": [{"url": "https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vim/vim/releases/tag/v9.2.0137", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137."}, {"lang": "es", "value": "Vim es un editor de texto de c\u00f3digo abierto de l\u00ednea de comandos. Desde la versi\u00f3n 9.1.0011 hasta antes de la 9.2.0137, el compilador de expresiones regulares NFA de Vim, al encontrar una colecci\u00f3n que contiene un car\u00e1cter combinatorio como punto final de un rango de caracteres (por ejemplo, [0-0\\u05bb]), emite incorrectamente los bytes de composici\u00f3n de ese car\u00e1cter como estados NFA separados. Esto corrompe la pila postfija NFA, lo que resulta en que NFA_START_COLL tenga un puntero out1 NULL. Cuando nfa_max_width() posteriormente recorre el NFA compilado para estimar el ancho de coincidencia para la aserci\u00f3n de look-behind, desreferencia state->out1->out sin una verificaci\u00f3n de NULL, causando un fallo de segmentaci\u00f3n. Esta vulnerabilidad se corrige en la versi\u00f3n 9.2.0137."}], "lastModified": "2026-03-18T11:50:06.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83D71745-798E-4425-82EC-1396F4C9F239", "versionEndExcluding": "9.1.0137", "versionStartIncluding": "9.1.0011"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}