CVE-2026-28421 PUBLISHED

Vim has a heap-buffer-overflow and a segmentation fault

Assigner: GitHub_M
Reserved: 27.02.2026 Published: 27.02.2026 Updated: 28.02.2026

Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVSS Score: 5.3

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0077 is affected

References

https://github.com/vim/vim/security/advisories/GHSA-r2gw-2x48-jj5p
https://github.com/vim/vim/commit/65c1a143c331c886dc28
https://github.com/vim/vim/releases/tag/v9.2.0077

Problem Types

CWE-20: Improper Input Validation CWE
CWE-122: Heap-based Buffer Overflow CWE