PatchSiren cyber security CVE debrief

CVE-2017-5953 Vim CVE debrief

CVE-2017-5953 is a critical memory-corruption issue in Vim's spell-file handling. According to the NVD record and vendor references, Vim did not properly validate tree-length values, which could trigger an integer overflow at a memory-allocation site and then a resulting buffer overflow. The issue was publicly disclosed on 2017-02-10 and is rated CVSS 3.0 9.8 (network, low complexity, no privileges, no user interaction).

Vendor: Vim
Product: CVE-2017-5953
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-10
Original CVE updated: 2026-05-13
Advisory published: 2017-02-10
Advisory updated: 2026-05-13

Who should care

Organizations running vulnerable Vim installations, especially systems that process untrusted or externally supplied spell files. System administrators, package maintainers, and security teams should prioritize patch validation and deployment across Linux distributions and embedded environments that ship Vim.

Technical summary

The vulnerability is a validation failure in spell-file parsing: attacker-controlled tree-length values are not sufficiently checked before memory allocation. NVD classifies the weakness as CWE-190 (integer overflow). The published CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that exploitation could affect confidentiality, integrity, and availability. The vendor patch is referenced in Vim commit 399c297aa93afe2c0a39e2a1b3f972aebba44c9d. NVD also lists affected Vim versions as up to 8.0.0055, while the title text says "before patch 8.0.0322"; that version-bound discrepancy is present in the source corpus and should be verified against vendor and distro packaging.

Defensive priority

Critical. This is an unauthenticated, no-interaction vulnerability with full CIA impact in a widely deployed text editor. Patch and package updates should be treated as high priority.

Recommended defensive actions

Upgrade Vim to a release that includes the upstream fix referenced by commit 399c297aa93afe2c0a39e2a1b3f972aebba44c9d.
Check distribution security advisories and apply vendor packages from Debian DSA-3786, Gentoo GLSA 201706-26, and Ubuntu USNs as applicable.
Inventory systems that include Vim and verify package versions against the affected-version range in NVD before scheduling remediation.
Restrict or review workflows that open untrusted spell files until patched versions are confirmed.
Track downstream backports carefully, since the source corpus shows a version-bound inconsistency between the title text and NVD CPE range.

Evidence notes

Primary facts come from the official NVD record and the CVE record. The NVD description states that Vim before patch 8.0.0322 mishandles tree-length validation in spell-file handling, leading to integer overflow and buffer overflow. The NVD entry classifies the issue as CWE-190 and assigns CVSS 3.0 9.8. The source corpus also includes a vendor patch commit and multiple distribution advisories. One source-corpus inconsistency should be noted: the title text references "before patch 8.0.0322," while the NVD CPE range lists affected versions up to 8.0.0055.

Official resources

CVE-2017-5953 CVE record
CVE.org
CVE-2017-5953 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed on 2017-02-10. The NVD record was later modified on 2026-05-13, but that does not change the original disclosure date.