{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25749", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T18:35:52.356Z", "datePublished": "2026-02-06T22:43:38.630Z", "dateUpdated": "2026-02-09T15:26:17.789Z"}, "containers": {"cna": {"title": "Heap Overflow in Vim", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43"}, {"name": "https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9"}, {"name": "https://github.com/vim/vim/releases/tag/v9.1.2132", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/releases/tag/v9.1.2132"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": "< 9.1.2132", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T22:43:38.630Z"}, "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132."}], "source": {"advisory": "GHSA-5w93-4g67-mm43", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:19:14.443777Z", "id": "CVE-2026-25749", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:26:17.789Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25749", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T15:19:14.443777Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:19:15.294Z"}}], "cna": {"title": "Heap Overflow in Vim", "source": {"advisory": "GHSA-5w93-4g67-mm43", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"status": "affected", "version": "< 9.1.2132"}]}], "references": [{"url": "https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43", "name": "https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9", "name": "https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.1.2132", "name": "https://github.com/vim/vim/releases/tag/v9.1.2132", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T22:43:38.630Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25749", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:26:17.789Z", "dateReserved": "2026-02-05T18:35:52.356Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T22:43:38.630Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "2023836A-3D6F-41D5-905A-7A0E8C1AA874", "versionEndExcluding": "9.1.2132", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132."}, {"lang": "es", "value": "Vim es un editor de texto de c\u00f3digo abierto de l\u00ednea de comandos. Antes de la versi\u00f3n 9.1.2132, existe una vulnerabilidad de desbordamiento de b\u00fafer de pila en la l\u00f3gica de resoluci\u00f3n de archivos de etiquetas de Vim al procesar la opci\u00f3n 'helpfile'. La vulnerabilidad se encuentra en la funci\u00f3n get_tagfname() en src/tag.c. Al procesar etiquetas de archivos de ayuda, Vim copia el valor de la opci\u00f3n 'helpfile' controlado por el usuario en un b\u00fafer de pila de tama\u00f1o fijo de MAXPATHL + 1 bytes (t\u00edpicamente 4097 bytes) utilizando una operaci\u00f3n STRCPY() insegura sin ninguna comprobaci\u00f3n de l\u00edmites. Este problema ha sido parcheado en la versi\u00f3n 9.1.2132."}], "id": "CVE-2026-25749", "lastModified": "2026-02-20T15:45:19.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T23:15:54.230", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/vim/vim/releases/tag/v9.1.2132"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vim: Vim: Arbitrary code execution via 'helpfile' option processing", "id": "2437843", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437843"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132."], "name": "CVE-2026-25749", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-02-06T22:43:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25749\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25749\nhttps://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9\nhttps://github.com/vim/vim/releases/tag/v9.1.2132\nhttps://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T13:26:12.000852+00:00", "value": {"mitigation_remediation": ["Upgrade Vim to version 9.1.2132 or newer, which includes the patch for the heap overflow bug.", "If an immediate update is not feasible, configure Vim to use a safe or empty 'helpfile' value or disable the helpfile option entirely to reduce risk.", "Limit write access to configuration files and environment variables that set the 'helpfile' option so that only trusted administrators can influence this value."], "summary": {"action": "Apply Patch", "impact": "Memory corruption potentially leading to arbitrary code execution"}, "threat_synthesis": {"affected_systems": "Vim version 9.1.2131 and earlier are affected. The software is an open\u2011source command line text editor widely used on Linux, macOS, and Windows, and the vulnerability concerns the handling of the helpfile option for tag resolution.", "description_and_impact": "A heap buffer overflow exists in Vim\u2019s tag file resolution logic when processing the \u2018helpfile\u2019 option. The vulnerable get_tagfname() function copies the user-controlled helpfile value into a fixed-size heap buffer using an unsafe STRCPY() operation without bounds checking, which can corrupt memory and potentially allow an attacker to execute arbitrary code or crash the editor. The flaw arises when Vim parses help file tags.", "risk_and_exploitability": "The CVSS base score is 6.6, indicating medium severity, and the EPSS score is <1%, reflecting a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or remote configuration of the helpfile option, which an attacker could influence through environment settings or configuration files. Because a heap buffer overflow can lead to code execution, the potential impact is high should exploitation succeed."}}}}, "created": "2026-02-09T10:45:07.177728+00:00", "updated": "2026-04-18T13:30:45.748375+00:00", "vendors": ["vim", "vim$PRODUCT$vim"]}