CVE-2026-25749
MEDIUM
CVSS 6.6
No EPSS data
Description
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-25749",
"cveTags": [],
"metrics": {
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-25749",
"role": "CISA Coordinator",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"version": "2.0.3",
"timestamp": "2026-02-09T15:19:14.443777Z"
}
}
],
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 6.6,
"attackVector": "LOCAL",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "REQUIRED",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "LOW",
"confidentialityImpact": "NONE"
},
"impactScore": 5.2,
"exploitabilityScore": 1.3
}
]
},
"affected": [
{
"source": "security-advisories@github.com",
"affectedData": [
{
"vendor": "vim",
"product": "vim",
"versions": [
{
"status": "affected",
"version": "< 9.1.2132"
}
]
}
]
}
],
"published": "2026-02-06T23:15:54.230",
"references": [
{
"url": "https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9",
"tags": [
"Patch"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/vim/vim/releases/tag/v9.1.2132",
"tags": [
"Product"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-122"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132."
},
{
"lang": "es",
"value": "Vim es un editor de texto de c\u00f3digo abierto de l\u00ednea de comandos. Antes de la versi\u00f3n 9.1.2132, existe una vulnerabilidad de desbordamiento de b\u00fafer de pila en la l\u00f3gica de resoluci\u00f3n de archivos de etiquetas de Vim al procesar la opci\u00f3n 'helpfile'. La vulnerabilidad se encuentra en la funci\u00f3n get_tagfname() en src/tag.c. Al procesar etiquetas de archivos de ayuda, Vim copia el valor de la opci\u00f3n 'helpfile' controlado por el usuario en un b\u00fafer de pila de tama\u00f1o fijo de MAXPATHL + 1 bytes (t\u00edpicamente 4097 bytes) utilizando una operaci\u00f3n STRCPY() insegura sin ninguna comprobaci\u00f3n de l\u00edmites. Este problema ha sido parcheado en la versi\u00f3n 9.1.2132."
}
],
"lastModified": "2026-06-17T10:25:09.910",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:neovim:neovim:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4B88B669-1286-4EFD-BFC6-0429CD3DDDFE",
"versionEndIncluding": "0.11.6"
},
{
"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2023836A-3D6F-41D5-905A-7A0E8C1AA874",
"versionEndExcluding": "9.1.2132"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}