CVE-2026-59857
MEDIUMVim < 9.2.0725 - SAL Soundfolding Out-of-Bounds Write
Title source: manualDescription
Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/vim/vim/security/advisories/GHSA-m3hf-xcm3-xhm2
X_Refsource_Misc x_refsource_misc
https://github.com/vim/vim/commit/d22ff1c955ff87e8273210eae125aab0e85b6c30
Scores
CVSS v3
5.5
EPSS
0.0011
EPSS Percentile
1.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-787
Status
published
Products (1)
vim/vim
< 9.2.0725 (2 CPE variants)
Published
Jul 09, 2026
Tracked Since
Jul 10, 2026