CVE-2026-28422 — Stack-based Buffer Overflow in VIM

CWE-121 — Stack-based Buffer Overflow CWE-135 — Incorrect Calculation of Multi-Byte String Length10 documents9 sources

Severity

2.2LOWNVD

OSV6.6

EPSS

0.0%

top 99.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

VIM Debian VIM Msrc Azl3 VIM 9.1.1616-1 ON Azure Linux 3.0 +1 more

Timeline

PublishedFeb 27

Latest updateApr 16

Description

Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 0.8 | Impact: 1.4

Affected Packages6 packages

▶NVDvim/vim< 9.2.0078

▶debiandebian/vim< vim 2:9.2.0119-1 (forky)

▶Debianvim/vim< 2:9.2.0119-1

▶Ubuntuvim/vim< 2:8.2.3995-1ubuntu2.26+6

▶msrcmsrc/azl3_vim_9.1.1616-1_on_azure_linux_3.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

VulDB

vim up to 9.2.0077 build_stl_str_hl stack-based overflow (GHSA-gmqx-prf2-8mwf / EUVD-2026-9090)↗2026-04-16

▶

OSV

vim vulnerabilities↗2026-03-16

▶

OSV

CVE-2026-28422: Vim is an open source, command line text editor↗2026-02-27

▶

📋Vendor Advisories

Ubuntu

Vim vulnerabilities↗2026-03-16

▶

Red Hat

vim: Vim: Integrity impact due to stack-buffer-overflow via wide terminal statusline rendering↗2026-02-27

▶

Microsoft

Vim has stack-buffer-overflow in build_stl_str_hl()↗2026-02-10

▶

Debian

CVE-2026-28422: vim - Vim is an open source, command line text editor. Prior to version 9.2.0078, a st...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28422 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-28422 vim: Vim: Integrity impact due to stack-buffer-overflow via wide terminal statusline rendering↗2026-02-27

▶