CVE-2026-25749 — Heap-based Buffer Overflow in VIM

CWE-122 — Heap-based Buffer Overflow CWE-120 — Classic Buffer Overflow9 documents8 sources

Severity

6.6MEDIUMNVD

EPSS

0.0%

top 99.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

VIM Debian VIM

Timeline

PublishedFeb 6

Latest updateApr 16

Description

Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This i…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:HExploitability: 1.3 | Impact: 5.2

Affected Packages4 packages

▶NVDvim/vim< 9.1.2132

▶debiandebian/vim< vim 2:9.1.2141-1 (forky)

▶Debianvim/vim< 2:9.1.2141-1

▶Ubuntuvim/vim< 2:8.2.3995-1ubuntu2.26+6

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

VulDB

Vim up to 9.1.2131 src/tag.c get_tagfname helpfile heap-based overflow (GHSA-5w93-4g67-mm43 / Nessus ID 298305)↗2026-04-16

▶

OSV

vim vulnerabilities↗2026-03-16

▶

OSV

CVE-2026-25749: Vim is an open source, command line text editor↗2026-02-06

▶

📋Vendor Advisories

Ubuntu

Vim vulnerabilities↗2026-03-16

▶

Red Hat

vim: Vim: Arbitrary code execution via 'helpfile' option processing↗2026-02-06

▶

Debian

CVE-2026-25749: vim - Vim is an open source, command line text editor. Prior to version 9.1.2132, a he...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25749 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option processing↗2026-02-09

▶