CVE-2026-45130
published 2026-05-08CVE-2026-45130: Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a…
PriorityP423medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.25%
16.0th percentile
Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| neovim | neovim | <= 0.12.2 | — |
| ubuntu | vim | — | — |
| vim | vim | < 9.2.0450 | 9.2.0450 |
| vim | vim | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vendor_redhat5.5MEDIUM
vendor_ubuntu4.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
vim up to 9.2.0449 Spell File src/spellfile.c read_compound length heap-based overflow (GHSA-q4jv-r9gj-6cwv / Nessus ID 313607)
vuldb·2026-05-09·CVSS 6.6
CVE-2026-45130 [MEDIUM] vim up to 9.2.0449 Spell File src/spellfile.c read_compound length heap-based overflow (GHSA-q4jv-r9gj-6cwv / Nessus ID 313607)
A vulnerability, which was classified as critical, has been found in vim up to 9.2.0449. The impacted element is the function read_compound of the file src/spellfile.c of the component Spell File Handler. Performing a manipulation of the argument length results in heap-based buffer overflow.
This vulnerability is identified as CVE-2026-45130. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
Ubuntu
Vim vulnerabilities
vendor_ubuntu·2026-05-25·CVSS 4.4
CVE-2026-42307 [MEDIUM] Vim vulnerabilities
Title: Vim vulnerabilities
Summary: Several security issues were fixed in Vim.
Joshua Rogers discovered that Vim incorrectly handled certain URL schemes
in the netrw plugin. An attacker could possibly use this issue to execute
arbitrary commands. (CVE-2026-42307)
It was discovered that Vim incorrectly handled command-line completion for
the :find command. An attacker could possibly use this issue to execute
arbitrary commands. (CVE-2026-44656)
Daniel Cervera discovered that Vim incorrectly handled loading spell files.
An attacker could possibly use this issue to cause a denial of service, or
to execute arbitrary code. (CVE-2026-45130)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
vim: Vim: Heap buffer overflow allows arbitrary code execution or denial of service
vendor_redhat·2026-05-08·CVSS 5.5
CVE-2026-45130 [MEDIUM] CWE-190 vim: Vim: Heap buffer overflow allows arbitrary code execution or denial of service
vim: Vim: Heap buffer overflow allows arbitrary code execution or denial of service
A flaw was found in Vim, an open-source command-line text editor. A heap buffer overflow exists in the `read_compound()` function when processing a specially crafted spell file (.spl) with UTF-8 encoding active. A remote attacker could exploit this by convincing a user to open a text file containing a malicious modeline, which could then load a planted malicious spell file. This could lead to a heap overflow, potentially resulting in an application-level denial of service.
Statement: This Moderate flaw in Vim arises from a heap buffer overflow when processing specially crafted spell files with UTF-8 encoding. Exploitation requires user interaction, specifically opening a text file containing a malicious m
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-45130 vim: Vim: Heap buffer overflow allows arbitrary code execution or denial of service
bugzilla·2026-05-09·CVSS 5.5
CVE-2026-45130 [MEDIUM] CVE-2026-45130 vim: Vim: Heap buffer overflow allows arbitrary code execution or denial of service
CVE-2026-45130 vim: Vim: Heap buffer overflow allows arbitrary code execution or denial of service
Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
2026-05-08
Published