CVE-2026-57452 PUBLISHED

Vim: Out-of-bounds Read with libsodium-encrypted Files

Assigner: GitHub_M
Reserved: 24.06.2026 Published: 25.06.2026 Updated: 25.06.2026

Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS Score: 5.5

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	vim
Product	vim
Versions	Version < 9.2.0671 is affected

References

Problem Types

CWE-125: Out-of-bounds Read CWE
CWE-191: Integer Underflow (Wrap or Wraparound) CWE