Skip to content

Heap-based Buffer Overflow and OOB Read in :terminal affects Vim < 9.2.0076

Moderate
chrisbra published GHSA-rvj2-jrf9-2phg Feb 27, 2026

Package

Vim (Vim)

Affected versions

< 9.2.0076

Patched versions

9.2.0076

Description

Heap-based Buffer Overflow and OOB Read in :terminal affects Vim < 9.2.0076

Date: 27.02.2026
Severity: Moderate
CVE: CVE-2026-28420
CWE: Heap-based Buffer Overflow (CWE-122) / Out-of-bounds Read (CWE-125)

Summary

A heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim’s
terminal emulator when processing maximum combining characters from
Unicode supplementary planes.

Description

The vulnerabilities are located in handle_pushline() in src/terminal.c.

  1. Heap Overflow: Vim reserves 21 bytes (MB_MAXBYTES) per cell via ga_grow().
    This assumes characters stay within the BMP (3 bytes max). However, a cell
    can contain up to 6 characters from supplementary planes (4 bytes each).
    This requires 24 bytes, causing a 3-byte heap overflow during conversion.

  2. OOB Read: The loop iterating over cell characters fails to check the
    boundary of the vterm_screen_cell_t.chars array. When a cell is fully
    populated, the loop condition reads index 6 of a 6-element array.

Impact

An attacker who can control the output of a program running inside a Vim
:terminal buffer can trigger a heap buffer overflow. This can result in
a crash (Denial of Service) or potential memory corruption.

Acknowledgements

The Vim project would like to thank the reporter Github users ehdgks0627 and
un3xploitable for identifying the vulnerability and providing a proof-of-concept.

References

The issue has been fixed as of Vim patch v9.2.0076

Commit
GitHub Advisory

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

CVE ID

CVE-2026-28420

Weaknesses

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Learn more on MITRE.

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer. Learn more on MITRE.

Credits