CVE-2026-28421Improper Input Validation in VIM

CWE-20Improper Input ValidationCWE-122Heap-based Buffer OverflowCWE-120Classic Buffer Overflow10 documents9 sources
Severity
7.8HIGHNVD
OSV6.6
EPSS
0.0%
top 98.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
VIMDebian VIMMsrc Azl3 VIM 9.1.1616-1 ON Azure Linux 3.0+1 more
Timeline
PublishedFeb 27
Latest updateApr 16

Description

Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

NVDvim/vim< 9.2.0077
debiandebian/vim< vim 2:9.2.0119-1 (forky)
Debianvim/vim< 2:9.2.0119-1
Ubuntuvim/vim< 2:8.2.3995-1ubuntu2.26+6

Patches

Patch: github.comPatch: github.comPatch: www.openwall.com

🔴Vulnerability Details

3
VulDB
vim up to 9.2.0076 unvalidated memory corruption (GHSA-r2gw-2x48-jj5p / EUVD-2026-9089)2026-04-16
OSV
vim vulnerabilities2026-03-16
OSV
CVE-2026-28421: Vim is an open source, command line text editor2026-02-27

📋Vendor Advisories

4
Ubuntu
Vim vulnerabilities2026-03-16
Red Hat
vim: Vim: Denial of service and information disclosure via crafted swap file2026-02-27
Microsoft
Vim has a heap-buffer-overflow and a segmentation fault2026-02-10
Debian
CVE-2026-28421: vim - Vim is an open source, command line text editor. Versions prior to 9.2.0077 have...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-28421 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file2026-02-27
CVE-2026-28421 — Improper Input Validation in VIM | cvebase