PatchSiren cyber security CVE debrief
CVE-2026-52859 vim CVE debrief
CVE-2026-52859 is a MEDIUM severity vulnerability in Vim, a command-line text editor. The vulnerability exists in the update_snapshot() function, which can lead to a crash when a program's output is rendered inside a :terminal window. This issue has been patched in version 9.2.0565.
- Vendor
- vim
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Vim, a command-line text editor, should be aware of this vulnerability. Specifically, those who render program output inside a :terminal window are at risk.
Technical summary
The update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell, it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Vim to version 9.2.0565 or later.
- Avoid rendering untrusted program output inside a :terminal window.
Evidence notes
The CVE-2026-52859 vulnerability was patched in Vim version 9.2.0565. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity.
Official resources
CVE-2026-52859 was published on 2026-06-11T19:16:47.627Z and modified on 2026-06-11T20:56:29.653Z.