CVE-2026-28420Heap-based Buffer Overflow in VIM

CWE-122Heap-based Buffer OverflowCWE-125Out-of-bounds Read10 documents9 sources
Severity
4.4MEDIUMNVD
OSV6.6
EPSS
0.0%
top 99.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
VIMDebian VIMMsrc Azl3 VIM 9.1.1616-1 ON Azure Linux 3.0+1 more
Timeline
PublishedFeb 27
Latest updateApr 16

Description

Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:LExploitability: 1.8 | Impact: 2.5

Affected Packages6 packages

NVDvim/vim< 9.2.0076
debiandebian/vim< vim 2:9.2.0119-1 (forky)
Debianvim/vim< 2:9.2.0119-1
Ubuntuvim/vim< 2:8.2.3995-1ubuntu2.26+6

Patches

Patch: github.comPatch: github.comPatch: www.openwall.com

🔴Vulnerability Details

3
VulDB
vim up to 9.2.0075 heap-based overflow (GHSA-rvj2-jrf9-2phg / EUVD-2026-9088)2026-04-16
OSV
vim vulnerabilities2026-03-16
OSV
CVE-2026-28420: Vim is an open source, command line text editor2026-02-27

📋Vendor Advisories

4
Ubuntu
Vim vulnerabilities2026-03-16
Red Hat
vim: Vim: Information disclosure and denial of service via crafted Unicode characters in terminal emulator2026-02-27
Microsoft
Vim has Heap-based Buffer Overflow and OOB Read in :terminal2026-02-10
Debian
CVE-2026-28420: vim - Vim is an open source, command line text editor. Prior to version 9.2.0076, a he...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-28420 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-28420 vim: Vim: Information disclosure and denial of service via crafted Unicode characters in terminal emulator2026-02-27
CVE-2026-28420 — Heap-based Buffer Overflow in VIM | cvebase