CVE-2026-28420 PUBLISHED

Vim has Heap-based Buffer Overflow and OOB Read in :terminal

Assigner: GitHub_M
Reserved: 27.02.2026 Published: 27.02.2026 Updated: 28.02.2026

Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CVSS Score: 4.4

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0076 is affected

References

https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg
https://github.com/vim/vim/commit/bb6de2105b160e729c34063
https://github.com/vim/vim/releases/tag/v9.2.0076

Problem Types

CWE-122: Heap-based Buffer Overflow CWE
CWE-125: Out-of-bounds Read CWE