PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59857 vim CVE debrief

A boundary-length word passed to soundfold() in Vim versions prior to 9.2.0725 can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725. The vulnerability affects Vim, a command line text editor, and has a medium severity with a CVSS score of 5.6. Users of Vim, especially those using version 9.2.0724 or earlier, should update to the latest version to prevent potential crashes.

Vendor
vim
Product
Unknown
CVSS
MEDIUM 5.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of Vim, especially those using version 9.2.0724 or earlier, should update to the latest version to prevent potential crashes. This issue affects operators who use Vim, platform administrators who manage Vim deployments, vulnerability management teams who track CVE records, and security teams who review and apply patches.

Technical summary

The single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer. However, its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor.

Defensive priority

Medium

Recommended defensive actions

  • Update Vim to version 9.2.0725 or later
  • Review and apply patches for vulnerable versions
  • Monitor for potential crashes and errors in Vim
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-09T23:17:06.580Z and has not been modified since then. The NVD entry is currently Undergoing Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official CVE record and NVD entry.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T23:17:06.580Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.