PT-2026-57014 · Vim · Vim

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-59857

CVSS v4.0

5.6

Medium

VectorAV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell soundfold sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59857

Affected Products

Vim