PT-2026-57014 · Vim · Vim
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-59857
CVSS v4.0
5.6
Medium
| Vector | AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell soundfold sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.
Fix
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vim