CVE-2026-32249

Name of the Vulnerable Software and Affected Versions Vim versions 9.1.0011 through 9.2.0136

Description Vim, a command line text editor, has an issue where its NFA regex compiler can experience a segmentation fault. This occurs when the compiler encounters a character range containing a combining character as the endpoint (for example, [0-0u05bb]). The compiler incorrectly processes the composing bytes of the character, corrupting the NFA postfix stack and leading to a NULL pointer dereference in the nfa max width() function when estimating match width for look-behind assertions. This dereference happens without a NULL check, causing the segmentation fault.

Recommendations Update Vim to version 9.2.0137 or later.