PatchSiren cyber security CVE debrief

CVE-2026-25749 vim CVE debrief

A heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The flaw is located in the get_tagfname() function in src/tag.c, where a user-controlled 'helpfile' option value is copied into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without bounds checking. This vulnerability affects Vim versions prior to 9.1.2132 and Neovim versions up to and including 0.11.6. The issue was published on February 6, 2026, and last modified on June 9, 2026. The vulnerability requires local access with low privileges and user interaction, but can result in high impact to integrity and availability.

Vendor: vim
Product: Unknown
CVSS: MEDIUM 6.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-02-06
Original CVE updated: 2026-06-09
Advisory published: 2026-02-06
Advisory updated: 2026-06-09

Who should care

System administrators managing multi-user environments with Vim installations, developers using Vim or Neovim in CI/CD pipelines, security teams tracking editor-related attack surfaces, and Neovim users awaiting a corresponding security update

Technical summary

The vulnerability stems from an unsafe STRCPY() operation in Vim's get_tagfname() function (src/tag.c) that copies the user-controlled 'helpfile' option into a fixed-size heap buffer of MAXPATHL + 1 bytes without length validation. An attacker who can control the 'helpfile' option value—through configuration files or command-line arguments—can supply a path exceeding the buffer size, triggering a heap buffer overflow. The overflow can corrupt adjacent heap metadata or data structures, potentially leading to denial of service (application crash) or integrity degradation. The attack requires local access and user interaction (e.g., opening a crafted file or running Vim with malicious configuration), with low privileges. The confidentiality impact is none per CVSS, but integrity and availability impacts are rated high. The fix in version 9.1.2132 replaces the unsafe copy with bounds-checked operations.

Defensive priority

medium

Recommended defensive actions

Upgrade Vim to version 9.1.2132 or later to eliminate the vulnerability
For Neovim users, monitor vendor channels for an updated release addressing this issue
Restrict untrusted users from modifying Vim configuration files that set the 'helpfile' option
Review and audit custom Vim configurations for unusually long 'helpfile' path values
Consider applying the upstream patch commit if immediate upgrading is not feasible
Deploy application allowlisting and execution controls to limit Vim usage to authorized contexts

Evidence notes

The vulnerability is confirmed through official vendor security advisory and patch commit. The NVD record lists both Vim and Neovim as affected products, with CPE criteria specifying Vim versions before 9.1.2132 and Neovim versions up to 0.11.6. The CVSS 3.1 vector is AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H, scoring 6.6 (MEDIUM). The weakness is classified as CWE-122 (Heap-based Buffer Overflow).

Official resources

CVE-2026-25749 CVE record
CVE.org
CVE-2026-25749 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch
Source reference
[email protected] - Product
Mitigation or vendor reference
[email protected] - Exploit, Patch, Vendor Advisory

official