PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45130 vim CVE debrief

A heap buffer overflow vulnerability exists in Vim prior to version 9.2.0450, specifically in the `read_compound()` function within `src/spellfile.c`. The flaw occurs when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section can overflow a 32-bit signed integer multiplication, resulting in a small buffer allocation that is subsequently overflowed by a write loop executing many iterations. The attack vector is notable because the 'spelllang' option can be set via a modeline, meaning a malicious text file's modeline can trigger spell file loading if a crafted .spl file has been planted on the runtimepath. This vulnerability was published on 2026-05-08 and last modified on 2026-05-18. The issue has been patched in Vim version 9.2.0450.

Vendor
vim
Product
Unknown
CVSS
MEDIUM 6.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-18
Advisory published
2026-05-08
Advisory updated
2026-05-18

Who should care

System administrators maintaining multi-user Vim installations, security teams in development environments with shared tooling, and users who open untrusted text files in Vim should prioritize this patch. Organizations with centralized Vim configurations or custom spell file distributions should audit their runtimepath for integrity. Developers using Vim in CI/CD pipelines or containerized environments should ensure base images are updated to patched versions.

Technical summary

The vulnerability stems from an integer overflow in the compound section length calculation within `read_compound()` in `src/spellfile.c`. When processing a spell file with UTF-8 encoding, a 32-bit signed integer multiplication overflow causes a small heap buffer to be allocated. The subsequent write loop iterates based on the attacker-controlled (overflowed) length, writing far beyond the allocated buffer boundary. The modeline attack vector is significant: Vim's 'spelllang' option can be set via modeline directives embedded in text files, enabling automatic spell file loading when a file is opened. If an attacker has previously planted a malicious .spl file on the runtimepath (e.g., in a world-writable directory or via supply chain compromise), opening a text file with a crafted modeline triggers the vulnerable code path. The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H reflects local attack vector, low attack complexity, no privileges required, user interaction required, and high availability impact due to potential crash or memory corruption.

Defensive priority

high

Recommended defensive actions

  • Upgrade Vim to version 9.2.0450 or later to remediate this vulnerability.
  • Audit systems for unauthorized .spl files in Vim runtimepath directories, particularly in shared or multi-user environments.
  • Consider disabling modeline support in Vim (`set nomodeline` in vimrc) as a defense-in-depth measure to reduce attack surface from untrusted text files.
  • Implement file integrity monitoring on Vim configuration and runtime directories to detect unauthorized spell file placement.
  • Review and restrict write permissions to Vim runtimepath directories to prevent malicious file planting by unprivileged users.

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry, with technical details corroborated by the GitHub Security Advisory (GHSA-q4jv-r9gj-6cwv) and the oss-security mailing list disclosure. The patch commit (92993329178cb1f72d700fff45ca86e1c2d369f8) confirms the fix location in `src/spellfile.c`.

Official resources

2026-05-08