CVE-2026-28422 PUBLISHED

Vim has stack-buffer-overflow in build_stl_str_hl()

Assigner: GitHub_M
Reserved: 27.02.2026 Published: 27.02.2026 Updated: 28.02.2026

Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in build_stl_str_hl() when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
CVSS Score: 2.2

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0078 is affected

References

https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf
https://github.com/vim/vim/commit/4e5b9e31cb7484ad156f
https://github.com/vim/vim/releases/tag/v9.2.0078

Problem Types

CWE-121: Stack-based Buffer Overflow CWE