CVE-2026-25749
published 2026-02-06CVE-2026-25749: Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when…
PriorityP430medium6.6CVSS 3.1
AVLACLPRLUIRSUCNIHAH
EPSS
0.21%
11.6th percentile
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vim | < vim 2:9.1.2141-1 (forky) | vim 2:9.1.2141-1 (forky) |
| neovim | neovim | <= 0.11.6 | — |
| vim | vim | < 9.1.2132 | 9.1.2132 |
| vim | vim | >= 0 < 2:9.1.2141-1 | 2:9.1.2141-1 |
| vim | vim | >= 0 < 2:8.2.3995-1ubuntu2.26 | 2:8.2.3995-1ubuntu2.26 |
| vim | vim | >= 0 < 2:9.1.0016-1ubuntu7.10 | 2:9.1.0016-1ubuntu7.10 |
| vim | vim | >= 0 < 2:9.1.0967-1ubuntu6.1 | 2:9.1.0967-1ubuntu6.1 |
| vim | vim | >= 0 < 2:7.4.052-1ubuntu3.1+esm23 | 2:7.4.052-1ubuntu3.1+esm23 |
| vim | vim | >= 0 < 2:7.4.1689-3ubuntu1.5+esm29 | 2:7.4.1689-3ubuntu1.5+esm29 |
| vim | vim | >= 0 < 2:8.0.1453-1ubuntu1.13+esm14 | 2:8.0.1453-1ubuntu1.13+esm14 |
| vim | vim | >= 0 < 2:8.1.2269-1ubuntu5.32+esm2 | 2:8.1.2269-1ubuntu5.32+esm2 |
CVSS provenance
nvdv3.16.6MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
osv6.6MEDIUM
vendor_debian6.6MEDIUM
vendor_redhat6.6MEDIUM
vendor_ubuntu6.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Vim vulnerabilities
vendor_ubuntu·2026-03-16·CVSS 6.6
CVE-2026-25749 [MEDIUM] Vim vulnerabilities
Title: Vim vulnerabilities
Summary: Several security issues were fixed in Vim.
Rahul Hoysala discovered that Vim did not correctly handle certain tag
resolutions. An attacker could possibly use this issue to cause a denial
of service. (CVE-2026-25749)
It was discovered that Vim did not correctly handle processing certain
specialKey commands. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2026-26269)
Kim Dong Han discovered that Vim did not correctly handle opening certain
URLs. If a user or system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-28417)
Kim Dong Han discovered that Vim did not correctly handle parsing
Emacs-style tag files. An attack
Red Hat
vim: Vim: Arbitrary code execution via 'helpfile' option processing
vendor_redhat·2026-02-06·CVSS 6.6
CVE-2026-25749 [MEDIUM] CWE-120 vim: Vim: Arbitrary code execution via 'helpfile' option processing
vim: Vim: Arbitrary code execution via 'helpfile' option processing
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
A flaw was found in Vim, an open source, command line text editor. This heap buffer overflow vulnerability exists in the tag file resolution logic when processing the 'helpfile' option. A
Debian
CVE-2026-25749: vim - Vim is an open source, command line text editor. Prior to version 9.1.2132, a he...
vendor_debian·2026·CVSS 6.6
CVE-2026-25749 [MEDIUM] CVE-2026-25749: vim - Vim is an open source, command line text editor. Prior to version 9.1.2132, a he...
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2:9.1.2141-1)
sid: resolved (fixed in 2:9.1.2141-1)
trixie: open
VulDB
Vim up to 9.1.2131 src/tag.c get_tagfname helpfile heap-based overflow (GHSA-5w93-4g67-mm43 / Nessus ID 298305)
vuldb·2026-04-16·CVSS 6.6
CVE-2026-25749 [MEDIUM] Vim up to 9.1.2131 src/tag.c get_tagfname helpfile heap-based overflow (GHSA-5w93-4g67-mm43 / Nessus ID 298305)
A vulnerability classified as critical has been found in Vim up to 9.1.2131. This affects the function get_tagfname of the file src/tag.c. The manipulation of the argument helpfile leads to heap-based buffer overflow.
This vulnerability is traded as CVE-2026-25749. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
OSV
vim vulnerabilities
osv·2026-03-16·CVSS 6.6
CVE-2026-25749 [MEDIUM] vim vulnerabilities
vim vulnerabilities
Rahul Hoysala discovered that Vim did not correctly handle certain tag
resolutions. An attacker could possibly use this issue to cause a denial
of service. (CVE-2026-25749)
It was discovered that Vim did not correctly handle processing certain
specialKey commands. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2026-26269)
Kim Dong Han discovered that Vim did not correctly handle opening certain
URLs. If a user or system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-28417)
Kim Dong Han discovered that Vim did not correctly handle parsing
Emacs-style tag files. An attacker could possibly use this issue to cause
a denial of servic
OSV
CVE-2026-25749: Vim is an open source, command line text editor
osv·2026-02-06·CVSS 6.6
CVE-2026-25749 [MEDIUM] CVE-2026-25749: Vim is an open source, command line text editor
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-25749 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-25749 [MEDIUM] CVE-2026-25749 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25749 :
Vim vulnerability analysis and mitigation
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
Source : NVD
## 6.6
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Vim
Rocky Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Re
Bugzilla
CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option processing
bugzilla·2026-02-09·CVSS 6.6
CVE-2026-25749 [MEDIUM] CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option processing
CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option processing
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
Discussion:
Hi,
Is someone looking into this Security Vulnerability ?
Regards,
Naresh
---
This issue has been addressed in the following products:
Red Hat Enterprise
2026-02-06
Published